Maintaining credit and debit card information on behalf of financial services clients demands the highest levels of security and customer confidence, and adhering to standards like PCI DSS plays a crucial role in this. Unfortunately, given the fact the financial sector remains a key target for cyber-criminals – pummeled by both nation state hackers trying to harm enemies’ core financial structure and criminals out to steal money – the time has come to put protections in place around that data itself.
Reflective of this environment, it should come as little surprise to many that this version of the standard has some 408 requirements – that’s 27 percent more rules than version 2. Interestingly, revisions to this version have reinforced the criticality of robust encryption and key management. Section 3.5.2, for example, calls on businesses to store secret and private keys used to encrypt/decrypt cardholder data separately and/or within a secure cryptographic device. Furthermore, the PCI Council also elaborated on the principles of split knowledge and dual control, helping underscore the criticality of implementing controls so no single administrator has privileged access to either keys and encrypted data.
There are also a couple of key focus points that will directly affect Cloud Service Providers (CSPs) that it makes sense to start thinking about -some of these rules are required for existing implementations in January, but a few, not until June of 2015. One of these focus points is more explicit definitions around the shared responsibility of service providers who provide PCI DSS compliant environments and services to customers. Others of interest of CSPs include specific enhancements around penetration testing, education and awareness as well as specific clarifications around use of encryption and cryptographic keys.
The most important change for CSPs, however, is the requirement for written agreement (or acknowledgement) by the CSP to their customers of their explicit responsibilities for supporting the standard. In PCI DSS 2.0 there were already requirements for service providers, but this change will require that they develop specific, contract level documentation of their commitments.
This is designed to prevent the expensive finger pointing exercise many organizations encountered on entering the compliance process for something as simple as a Disaster Recovery or Backup site (and failing), when an audit took place and expected portions of the standard are not met, or in investigations following a data breach situation.
All in all, these new stipulations show why PCI DSS is no longer a simple “check box’ compliance activity – it has evolved considerably past the point where once a year a business made sure they were adhering to its stipulations. In the past, organizations only encrypted for protection what they were forced to protect by compliance requirements, or when they were in an industry area where secrets were important. However, in today’s brave, new world where the tempo of data breach incidents perpetrated by hackers shows no sign of slowing and the risk to data can also come from a trusted insider, any business handling payment data and sensitive, personally identifiable data needs to put encryption with granular access control controls in place.