PCI DSS in version 3.2 - what's new and how to respond?
When American gangster Willie Horton was asked why he robbed banks, he replied: "Because there is money there." Modern scammers who specialize in high technology are guided by roughly the same considerations, and for this reason, current commercial organizations are being targeted by financial scammers.
The following figures can illustrate this situation: according to PrivacyRights.org, for the period from January 2005 to April 2016, a total of 4,823 data leaks were recorded, resulting in 898 million confidential data records being compromised.
In addition, as a result of thoughtless actions of organizations, it is possible to compromise the personal data of cardholders. In a survey conducted among companies in the US and Europe, the following actions were identified that put at risk the personal data of cardholders:
')
Source: Forrester Consulting: The State of PCI Compliance (PCI compliance study was commissioned by RSA / EMC)
In order to prevent financial fraud and to prevent possible serious consequences, it is important to improve the security of cardholder data, and to ensure full protection of billing data. For this purpose, a PCI DSS standard was created.
The abbreviation PCI DSS is derived from the Payment Card Industry Data Security Standard (PCI DSS). This is the name of the information security standard, which regulates the activities of organizations working with credit cards of major payment systems, including Visa, MasterCard, American Express, Discover and JCB.
Initially, this standard emerged as a result of cooperation between the Visa and MasterCard payment systems, but later other credit card companies represented in the United States supported the development of the PCI DSS standard as part of their own programs.
This standard sets industry-wide security requirements. It consists of 12 basic requirements, which are divided into more than 200 sub-requirements.
This standard was developed to help improve the security of bank card holders, as well as to accelerate the adoption of concerted measures to ensure the security of such data at the global level.
Individual brands of payment systems independently determine the need to comply with the requirements of PCI DSS and establish penalties for non-compliance with these requirements.
Companies wishing to obtain a PCI DSS compliance certificate must undergo a security audit, which is carried out by an independent body.
The requirements of the PCI DSS standard apply to all organizations involved in the processing of payment cards, including trade organizations, processing companies, financial institutions and service providers, as well as other organizations that store, process or transmit data of payment card holders and / or authentication data.
“One of the important changes in the PCI DSS 3 standard was the addition of multifactor authentication as a mandatory requirement for any employees who have administrative access to the environment used to work with cardholder data. Thus, a password alone is no longer enough to authenticate a user and provide access to confidential information, even if that user accesses data while on a secure network, "said Troy Leach, technical director of the PCI Security Standards Council.
Multifactor authentication (MFA) refers to the concept of authentication, in which a user must verify his identity in two or more ways to authorize access to the system. Usually this means that the user is ready to provide:
In previous versions of the PCI DSS standard, two-factor authentication was required for remote access to the cardholder data environment from any unsecured network.
Let's take a closer look at the 8th requirement of the standard, which regulates secure access to data of bank card holders.
Paragraph 8.1.5 specifies that whatever the relationship with the organization, ALL third parties with remote access to the cardholder information environment (CDE) must use multifactor authentication tools. Previously, this requirement was made only to vendors.
A significantly more important change is presented in requirement 8.3 , which is now split into two sub-requirements. In particular, a new part of the paragraph has been added, in which the requirements for the use of multifactor authentication for individual users, who access the information environment of cardholders, are noticeably expanding while in the office.
Requirement 8.3.1 - A new requirement that provides for the use of multi-factor authentication by all employees who have access to cardholder data, that is, have local access to the information environment of cardholders and databases containing information about cardholders. Requirement 8.3.1 comes into force on February 1, 2018.
Requirement 8.3.2 - provides for the use of multifactor authentication by all employees who have remote access to the information environment of cardholders.
Thus, in the newest version of the PCI standard, requirement 8.3 regulates the need to use multifactor authentication for all users, regardless of whether they are in the office or receive remote access to the system, as well as for administrators with privileged access.
Therefore, even if an organization already uses two-factor authentication for remote users, this organization will now have to apply multifactor authentication to all users who have access to the systems, including when users are in the office.
The following figures can illustrate this situation: according to PrivacyRights.org, for the period from January 2005 to April 2016, a total of 4,823 data leaks were recorded, resulting in 898 million confidential data records being compromised.
In addition, as a result of thoughtless actions of organizations, it is possible to compromise the personal data of cardholders. In a survey conducted among companies in the US and Europe, the following actions were identified that put at risk the personal data of cardholders:
')
- 81% of companies store payment card numbers;
- 73% of companies store information about the validity of payment cards;
- 71% of companies store security codes for payment cards;
- 57% of companies store user data read from magnetic strips of payment cards;
- 16% of companies store other personal data.
Source: Forrester Consulting: The State of PCI Compliance (PCI compliance study was commissioned by RSA / EMC)
In order to prevent financial fraud and to prevent possible serious consequences, it is important to improve the security of cardholder data, and to ensure full protection of billing data. For this purpose, a PCI DSS standard was created.
What is the PCI DSS standard?
The abbreviation PCI DSS is derived from the Payment Card Industry Data Security Standard (PCI DSS). This is the name of the information security standard, which regulates the activities of organizations working with credit cards of major payment systems, including Visa, MasterCard, American Express, Discover and JCB.
Initially, this standard emerged as a result of cooperation between the Visa and MasterCard payment systems, but later other credit card companies represented in the United States supported the development of the PCI DSS standard as part of their own programs.
This standard sets industry-wide security requirements. It consists of 12 basic requirements, which are divided into more than 200 sub-requirements.
Some facts about the PCI DSS standard
This standard was developed to help improve the security of bank card holders, as well as to accelerate the adoption of concerted measures to ensure the security of such data at the global level.
Individual brands of payment systems independently determine the need to comply with the requirements of PCI DSS and establish penalties for non-compliance with these requirements.
Companies wishing to obtain a PCI DSS compliance certificate must undergo a security audit, which is carried out by an independent body.
The requirements of the PCI DSS standard apply to all organizations involved in the processing of payment cards, including trade organizations, processing companies, financial institutions and service providers, as well as other organizations that store, process or transmit data of payment card holders and / or authentication data.
What innovations have appeared in the eighth requirement of the standard PCI DSS in version 3.2?
“One of the important changes in the PCI DSS 3 standard was the addition of multifactor authentication as a mandatory requirement for any employees who have administrative access to the environment used to work with cardholder data. Thus, a password alone is no longer enough to authenticate a user and provide access to confidential information, even if that user accesses data while on a secure network, "said Troy Leach, technical director of the PCI Security Standards Council.
Multifactor authentication (MFA) refers to the concept of authentication, in which a user must verify his identity in two or more ways to authorize access to the system. Usually this means that the user is ready to provide:
- Something he knows: a password or passphrase
- Something he has: a token, a smart card, or access to a mobile device
- Something inherent to him: fingerprint, iris of the eye, or some other method of biometric authentication.
In previous versions of the PCI DSS standard, two-factor authentication was required for remote access to the cardholder data environment from any unsecured network.
Let's take a closer look at the 8th requirement of the standard, which regulates secure access to data of bank card holders.
Paragraph 8.1.5 specifies that whatever the relationship with the organization, ALL third parties with remote access to the cardholder information environment (CDE) must use multifactor authentication tools. Previously, this requirement was made only to vendors.
A significantly more important change is presented in requirement 8.3 , which is now split into two sub-requirements. In particular, a new part of the paragraph has been added, in which the requirements for the use of multifactor authentication for individual users, who access the information environment of cardholders, are noticeably expanding while in the office.
Requirement 8.3.1 - A new requirement that provides for the use of multi-factor authentication by all employees who have access to cardholder data, that is, have local access to the information environment of cardholders and databases containing information about cardholders. Requirement 8.3.1 comes into force on February 1, 2018.
Requirement 8.3.2 - provides for the use of multifactor authentication by all employees who have remote access to the information environment of cardholders.
Thus, in the newest version of the PCI standard, requirement 8.3 regulates the need to use multifactor authentication for all users, regardless of whether they are in the office or receive remote access to the system, as well as for administrators with privileged access.
Therefore, even if an organization already uses two-factor authentication for remote users, this organization will now have to apply multifactor authentication to all users who have access to the systems, including when users are in the office.
Source: https://habr.com/ru/post/336912/
All Articles