The PCI DSS (Payment Card Industry Data Security Standard) is well known as a comprehensive data security standard for payment card data of the international payment brands. The Payment Card Industry Security Standards Council (PCI SSC) keeps revising the standard throughout the years to address evolving risks and threats to payment data, to keep pace with the ever changing IT and payment landscape, and to reinforce security.
The PCI SSC has been working on the new, fundamentally revised version 4.0 of the standard for a long time now. After three RFC phases throughout the years, the new version will now be officially published on the PCI SSC website in March 2022.
Several changes have already been announced and are listed hereafter.
New validation options
PCI SSC plans to add more flexibility to the standard. Traditionally, the intended way of fulfilling a PCI DSS requirement is to follow it word by word. Now, the PCI SSC plans to add a choice: For nearly each requirement, an entity can either choose the traditional way of fulfilling it word by word, or they can use a customized validation.
For each requirement in the standard, the objective that is intended to be reached with it will be given. If an entity thinks that they want to use another way of meeting this intention than following the requirement word by word, they can document how they do this. This includes a risk assessment to verify the appropriateness of the customized way. This documentation, including the risk assessment, is then provided to the assessor, and the assessor identifies suitable testing procedures to verify the implementation of the customized controls.
Requirement changes
To make sure PCI DSS compliance is kept up throughout the year, additional requirements are announced by the PCI SSC, e.g. the necessity for
- Definition of roles and responsibilities for all PCI DSS relevant topics; and for
- Regular verification of PCI DSS scope.
In addition, existing requirements will be adapted to threat and security evolvement. Changes to requirements on the following topics are forecasted:
- Authentication requirements,
- Detection mechanism and awareness measures for ongoing threats, and
- Risk assessments.
Also the use of 8‑digit BINs will need to be addressed (see our blog entry).
Of course, the exact details of changes can only be given after the final publication.
Transition process
The PCI SSC has announced a transition period of two years, plus additional transition time for completely new requirements.
So after publication in March 2022, take your time to read the new PCI DSS version, identify the changes, and understand the impact on your environment. Use this year to plan migration to PCI DSS v4.0 and decide when is the right moment for your entity to switch from version 3.2.1 to 4.0.
Your PCI DSS consultant or assessor can help you understanding the intention of changes, your need for migration, and the validation requirements. Please do not hesitate to contact them. If you do not have direct contact to a PCI DSS expert, please contact SRC’s PCI DSS responsible.
To get a first overview of the changes to the standard, you can also join our free PCI DSS v4.0 webinar on 20th of April: Register here.
8 digit BINs and PCI DSS
On April 1, 2022, the payment brands Visa and Mastercard will expand the BIN (Bank Identification Number) of their cards worldwide from 6 to 8 digits. In future, the first 8 digits of a 16-digit credit card number (Primary Account Number, PAN) will be used to identify the card issuer. The BIN is used in many occasions where the use of the full PAN is not necessary — e.g. for routing of transactions, or for reporting.
BINs and PCI DSS
Wherever a full PAN is used, the systems, environments, processes and people must meet the requirements of the data security standard PCI DSS (Payment Card Industry Data Security Standard). As useful as the protection of the PAN by the PCI DSS is – it is not necessary for the BIN. The PCI DSS therefore describes the conditions under which parts of the PAN do not require the same protection as the full PAN. If not the full PAN is stored, processed or transmitted, but only parts of it, the PCI DSS refers to “truncation”. If the full PAN is stored in the background, but not all digits are displayed in an application, the PCI DSS refers to the display as “masking”. In everyday life, the term “crossing out” is also used for the two different measures; from PCI DSS point of view, however, they have to be differentiated.
The following rules previously applied to truncation and masking:
Changed rules for truncation and masking
However, due to the switch to 8‑digit BINs and the need for many companies to process them, the payment brands have now changed their specifications. The current summary in the PCI SSC FAQ entry now defines that “first 8, any other 4” is permitted for truncation for 16-digit PANs. The (test) card number 4012888888881881 is then allowed to be stored and processed in the form 40128888xxxx1881, for example — it is sufficient if any four digits are crossed out after the BIN. Only for shorter PANs, the existing rules “first 6, any other 4” (Discover) or “first 6, last 4” (American Express) remain in place. A corresponding adjustment of the PCI DSS requirement for masking is expected with the change to PCI DSS v4.0.
From a security point of view, removing so few digits is not an improvement — but from a business perspective, the change is probably necessary. It is to be hoped that, overall, this will be offset by other security measures.
In any case, the requirements of the PCI DSS will not prevent the use of 8‑digit BIN in the future.
Caution when combining different formats
Regardless of the length of the BIN, merchants and service providers who work with truncated card data should take care not to weaken the protection by mixing different formats.
This also applies if different formats are used for masking and truncation.
PCI DSS v4.0 is coming — an overview
The PCI DSS (Payment Card Industry Data Security Standard) is well known as a comprehensive data security standard for payment card data of the international payment brands. The Payment Card Industry Security Standards Council (PCI SSC) keeps revising the standard throughout the years to address evolving risks and threats to payment data, to keep pace with the ever changing IT and payment landscape, and to reinforce security.
The PCI SSC has been working on the new, fundamentally revised version 4.0 of the standard for a long time now. After three RFC phases throughout the years, the new version will now be officially published on the PCI SSC website in March 2022.
Several changes have already been announced and are listed hereafter.
New validation options
PCI SSC plans to add more flexibility to the standard. Traditionally, the intended way of fulfilling a PCI DSS requirement is to follow it word by word. Now, the PCI SSC plans to add a choice: For nearly each requirement, an entity can either choose the traditional way of fulfilling it word by word, or they can use a customized validation.
For each requirement in the standard, the objective that is intended to be reached with it will be given. If an entity thinks that they want to use another way of meeting this intention than following the requirement word by word, they can document how they do this. This includes a risk assessment to verify the appropriateness of the customized way. This documentation, including the risk assessment, is then provided to the assessor, and the assessor identifies suitable testing procedures to verify the implementation of the customized controls.
Requirement changes
To make sure PCI DSS compliance is kept up throughout the year, additional requirements are announced by the PCI SSC, e.g. the necessity for
In addition, existing requirements will be adapted to threat and security evolvement. Changes to requirements on the following topics are forecasted:
Also the use of 8‑digit BINs will need to be addressed (see our blog entry).
Of course, the exact details of changes can only be given after the final publication.
Transition process
The PCI SSC has announced a transition period of two years, plus additional transition time for completely new requirements.
So after publication in March 2022, take your time to read the new PCI DSS version, identify the changes, and understand the impact on your environment. Use this year to plan migration to PCI DSS v4.0 and decide when is the right moment for your entity to switch from version 3.2.1 to 4.0.
Your PCI DSS consultant or assessor can help you understanding the intention of changes, your need for migration, and the validation requirements. Please do not hesitate to contact them. If you do not have direct contact to a PCI DSS expert, please contact SRC’s PCI DSS responsible.
To get a first overview of the changes to the standard, you can also join our free PCI DSS v4.0 webinar on 20th of April: Register here.
SRC specialist Oberender | 5G Security High Assurance
As part of the CAST forum hot topic: 5G Security, SRC specialist Oberender will give a presentation on 5G Security High Assurance. The CAST workshop is hosted by BSI unit SZ32 and will take place online on November 11, 2021.
5G technology will define digital life in Germany in the future and thus its security features directly protect the integrity of society and its citizens. The test procedure currently being developed by BSI is to consist of three parts: a test based on the 3GPP defined SECAM Evaluation Methodology TS 33.916, which is being refined at BSI as a Technical Guideline. Possible further tests will use the Accelerated Security Certification (ESC) and the Common Criteria (CC) certification scheme. The security assessor’s perspective here is quite unique. SRC has extensive experience in all testing methods and will provide insight into the advantages and disadvantages of the testing methods with regard to the testing of 5G and 6G communication platforms in this presentation. Dr. Jens Oberender presents the different test methods SECAM, BSZ and CC for the approval of 5G security and discusses their objectives and focus.
Mobile networks in Germany are currently entering their next evolutionary stage with 5G technology. This process is accompanied by security requirements and related certification activities. Germany needs secure and sovereign infrastructures for communications. Security features such as reliability and availability are essential factors for Germany’s economic development. The CAST workshop hot topic: 5G-Security provides an overview and outlook on the current status of 5G-Security and its future development.
SRC recognized as test center for accelerated safety certification (BSZ)
On 01 October the “Accelerated Security Certification (BSZ)”, the new certification procedure of the German Federal Office for Information Security (BSI) has started. Already on September 28, SRC was recognized by the BSI as a testing body for this new procedure. Sandro Amendola is head of the department Standardization, Certification and Security of Telecommunication Networks at the BSI. On behalf of the BSI he handed over the certificate of recognition to Peter Jung, who is responsible for the BSZ at SRC.
Accelerated Security Certification is the BSI’s new lightweight procedure for certifying the security of IT products. In contrast to a CC certification, a certification according to BSZ has several advantages: a considerably lower documentation effort, a significantly shortened implementation and thus a lower cost.
The certification scheme follows a risk-based approach. In this process, the security performance of the IT product is tested by a recognized testing body such as SRC within a fixed timeframe using conformance and penetration tests to determine its security performance and its resistance to attacks.
The user also benefits. He receives comprehensible documentation of the security performance and the promise that any vulnerabilities that occur are guaranteed to be remedied within the certificate’s validity period.
“After SRC has already carried out the first successful evaluation according to BSZ, we are very pleased about the recognition as a test center for this innovative certification scheme that has now taken place” says Peter Jung as representative of the test center and topic responsible for the Accelerated Security Certification BSZ at SRC.
SRC was one of the first test centers to be recognized for BSZ. SRC performed the evaluation of the LANCOM-1900EF, the first certified BSZ product ever.
The electronic share: A forward-looking step toward digital capital investments
Until now, securities could only be purchased as physical certificates. Since the beginning of June 2021, the Act on the Introduction of Electronic Securities (eWpG) has offered a paperless, digital alternative for investors and issuers.
The law on the introduction of electronic securities (eWpG)
The Act on the Introduction of Electronic Securities (eWpG), which recently came into force, is designed in particular to open up German law to electronic securities. Investors and issuers can now freely choose between the classic paper certificate or the digitized form. The Act also provides for a central electronic securities register for the registration of digitized securities. The crypto custody business, which is currently coming strongly to the fore, was by no means left out of consideration in the eWpG. This explicitly provides for the legal introduction of crypto securities, for example on a blockchain or general DLT basis. For this purpose, a separate crypto securities register is created, the keeping of which is now regulated as a further financial service under the supervision of BaFin within the meaning of the German Banking Act (KWG). To create legal certainty, the eWpG is to be concretized by an “Ordinance on Requirements for Electronic Securities Registries (eWpRV)”. A draft bill for the eWpRV from the Federal Ministry of Finance and the Federal Ministry of Justice and Consumer Protection is already available.
New opportunities through the interaction of innovative technologies
Cryptocurrencies and, in particular, cryptocurrency custody transactions continue to be among the red-hot digitalization topics. The Act Implementing the Amending Directive to the Fourth EU Money Laundering Directive added cryptocustody business to the KWG as a new financial service at the beginning of 2020. This created new market opportunities in the area of cryptocurrency services for banks and financial service providers. The issuance of electronic securities can also be carried out by using blockchain or DLT technology (crypto securities) through the new eWpG. This is associated with new (financial) services for which relevant fintechs are already ready. However, DLT applications offer IT service providers in the banking environment in particular new opportunities to develop forward-looking business areas. Furthermore, in the summer of 2021, the go-ahead was finally given for the digital euro, the introduction of which is to serve as a supplement to established payment methods. The trend toward further digitization of the financial industry is now being continued with the introduction of electronic securities.
In addition, the EU Commission recently launched a digital finance package, the contents of which include a separate regulatory proposal for crypto assets or even a pilot project for DLT-based securities.
Tapping market opportunities and overcoming challenges together
Investors are not the only ones who should already be taking a close look at this new topic. In particular, banks and financial service providers now have a renewed opportunity to occupy this promising market segment. However, these new opportunities also lead to new challenges. The SRC experts follow the exciting developments in the field of electronic securities, cryptocurrencies and the digital euro for you and support you in the realization of your services. We will be happy to inform you about the opportunities to get involved in this innovative sector and to master the new challenges together.
SRC expert Botermann | DLT for IT service providers in the banking environment
Crypto assets based on blockchains move many states, companies and the world of banks and their IT service providers.
Distributed ledger technology (DLT for short) is the term used to describe the technology of “distributed cash ledgers”. The key difference: transactions are legitimized in a decentralized manner and stored with the participants. As a disruptive technology, DLT makes numerous intermediation and clearing points redundant. Banks are threatened with the loss of their position as anchors for trustworthy transactions.
But this is precisely where the prospects for future business models lie, since it is precisely the banks that traditionally have expertise in the safekeeping of confidential information. The decisive technical trust anchor of every transaction via DLT is the customer’s private key. The trusted management of this private key may prove to be a perspective for the evolution of banks’ business models.
To summarize: DLT applications offer IT service providers in the banking environment good opportunities to adapt their own business models and also position themselves for the future. Services in the crypto custody business can be seen as a suitable entry point, which can be expanded and supplemented in the future.
How can business models in the banking environment be adapted to these developments? What opportunities does the crypto custody business offer? What technical and regulatory requirements must be met?
In the articles DLT for IT service providers in the banking environment (german), crypto custody business: starting point for business field expansion (german) and crypto custody business as a business area expansion for banks (german) published in gi GELDINSTITUTE and on cash.online, SRC expert Dr. Benjamin Botermann gives an insight and overview of challenges, opportunities and stopler stones of the crypto custody business with distributed ledger technology (DLT).
The SRC experts will follow the exciting developments in the field of cryptocurrency and digital euros for you and support you in the realization of your cryptocustody business. We will be happy to inform you about the possibilities to get involved in this innovative sector.
Intensive seminar | Basic knowledge of IT basics and security measures for non-IT specialists on 15 November 2021
Intensive seminar (online)
Basic knowledge of IT basics and security measures for non-IT specialists
Bank IT in particular is required to protect sensitive information and data with a high level of security and at the same time make it available to authorised persons. To achieve this, information security officers, data protection officers, IT officers and other bank employees must coordinate closely. Despite different professional backgrounds, a common “language” must be found. To do this, it is advantageous to be able to visualise the conceptual world of IT in the context of its processes and interrelationships. This is the only way to succeed in an interdisciplinary exchange with IT experts about IT security measures and their effects in the company and its diverse internal and external communication structures.
The intensive seminar “Basic knowledge of IT basics and security measures for non-IT experts” provides the necessary knowledge about information technology and security measures. The target group is non-IT specialists in credit institutions.
The speaker Florian Schumann is IT manager at SRC Security Research & Consulting GmbH. In this position, he is responsible for the continuous development of IT. He is also a consultant for information security and a qualified auditor according to § 8 (a) BSIG for critical infrastructures.
Module 1: IT terms and basics
Module 2: Encryption
In addition, participants will receive an overview of new technologies and trends, e.g. big data, cloud, artificial intelligence, special features of mobile working / home office. The intensive seminar offers sufficient space to reflect on the upcoming challenges for security.
Intensive seminar (online)
Basic knowledge of IT basics and security measures for non-IT specialists
on Monday, 15 November 2021, 10:00 a.m. to 5:00 p.m.
-
Kick-off for the Digital Euro
After long and intensive discussions at the European level, the starting signal for the digital euro was given on 14 July 2021. First, core questions on the impact on financial stability and monetary policy as well as on the legal framework and a possible technical implementation will be clarified within the framework of a two-year study phase. The goal of the introduction of the digital euro is still to meet the “needs of the people in Europe” and to serve as a supplement to already established payment procedures.
A final decision on the design of the digital euro is then expected after the study phase in mid-2023.
“We will enter into a dialogue with the European Parliament and other European decision-makers and inform them regularly about our findings. Individuals, merchants and the payments sector will also be involved,” said Fabio Panetta (Member of the ECB Executive Board and Chair of the Digital Euro Task Force).
Results of the practical test
The preparatory basis for the landmark decision was the results of a practical test phase over nine months, which examined, among other things, technical aspects of distributed ledger technology (DLT for short), data protection, anti-money laundering and the use of existing systems (e.g. TARGET Instant Payment Settlement — TIPS for short). Energy aspects of possible architecture concepts were also investigated with the aim of limiting energy consumption to well below the current requirements of known cryptocurrencies, e.g. Bitcoin.
Focus on data protection
Consumer protection and data protection aspects are central aspects of the discussion about the digital euro, in addition to the technical implementation. For consumers, the digital central bank money represents a direct claim against the central bank, which under certain circumstances can be limited by a cap in the “wallet”. The competition of the digital euro with cash becomes clear in the discussion about the anonymity of payments. It seems clear that — also with a view to combating money laundering — there will be no completely anonymous digital euro.
Assessment of the German Banking Industry
In a statement, the “Deutsche Kreditwirtschaft” emphasises the digital euro above all in its preservation of the monetary sovereignty of the Eurozone. The digital euro is assessed as a forward-looking means of payment in a digital economy, which coherently complements the existing and proven systems and structures. The aim should be to achieve the greatest possible synergies with existing payment solutions so that access to the digital central bank money can be secured for end consumers. There is a consensus that digitalisation is changing payment transactions and that the ECB must carefully design the digital euro to ensure financial stability. In order to implement the envisaged activities, high investments are inevitable for both the institutions and the economy.
Will cryptocurrencies become more than speculative objects?
Established cryptocurrencies such as Bitcoin and Co. are gaining importance as speculation objects in asset management, but they are currently rather meaningless in payment transactions. Nevertheless, the ongoing discussion about private cryptocurrencies, e.g. Diem from the Facebook universe, has certainly driven the discussion about the Digital Euro.
The SRC experts follow the exciting developments in the field of cryptocurrency and the Digital Euro for you and support you in the realisation of your crypto custody service. We will be happy to inform you about the possibilities to get involved in this innovative sector.
CASH.DIGITALWEEK 2021 // Webinar: Cryptocurrencies create market opportunities for banks and financial service providers
In a webinar at CASH-DIGITALWEEK 2021, our expert Dagmar Schoppe will explain how cryptocurrencies can create new market opportunities for banks and financial service providers. The date for the webinar is Thursday, 9 September 2021 at 11:00.
Banks and financial service providers traditionally have not only the technical competences to process trustworthy business transactions, but also the necessary expertise to implement regulatory requirements. This can be used well as an entry point into the market for services related to cryptocurrencies, because it is precisely the rapidly growing interest in cryptocurrencies that opens up growing opportunities for credit institutions to become active in this market and to serve customers here as well.
For this, it is necessary that the institutions increase their visibility in this new market segment. Only in this way can they then respond to enquiries from customers, traders as well as service providers. Corporate customers thus also have the opportunity, for example, to offer cryptocurrencies they have issued themselves or to optimally support their customers’ digital business processes using blockchain technology. With the support of banks and financial service providers, corporate clients can further advance the digitalisation of their business processes.
The SRC experts are following the exciting developments in the field of cryptocurrency for you. During the webinar “CASH.DIGITALWEEK 2021 // Webinar: Cryptocurrencies create market opportunities for banks and financial service providers”, Dagmar Schoppe, Head of Banking Compliance at SRC, will explain possible strategies and answer participants’ questions.
SRC provides expert opinion on e‑prescription for gematik
IT security plays a special role in the digitalisation of the healthcare system. In the context of the introduction of the electronic prescription (e‑prescription) for which gematik is responsible, the security of all components will be tested by independent experts approved by gematik.
The introduction of the e‑prescription and the e‑prescription app started on 1 July 2021. By then, data security for patients, doctors and pharmacists had to be ensured. In order to check the security of these applications in their daily work, gematik, with the approval of the Federal Office for Information Security, commissioned several expert opinions to test the applications. Some of these expert opinions were prepared by the experts of the SRC. The result: Nothing stands in the way of a controlled commissioning into production operation. The applications can be integrated into the telematics infrastructure (TI).
The prerequisite for the test phase that now follows is the security assessment, in which the SRC assessors were involved for two components. SRC employees have been accredited as experts by gematik since 2014 and have assessed the identity provider service of RISE as well as the specialist service e‑prescription of IBM. gematik published the summary of the expert reports prepared by the SRC experts on its website on 1 July 2021.
In the test phase that has just started, the e‑prescription is now being tested in everyday practice in the model region of Berlin-Brandenburg. Here, practical findings on the interaction of all components involved in the e‑prescription are to be collected first. The nationwide introduction of the e‑prescription is being prepared for the 4th quarter of 2021.
Every person with statutory health insurance can use their NFC-enabled electronic health card (eGK) with the corresponding PIN for the e‑prescription. The eGK is issued as standard by the statutory health insurance funds to their insured persons.
From 2022, the e‑prescription will be obligatory for all those insured by the statutory health insurers, but private health insurers have already made clear their interest in participating in the e‑prescription. For the time being, private health insurers can decide voluntarily whether to issue the eGK to their insured.
“The introduction of the e‑prescription and the associated app is undoubtedly a milestone for the digitalisation of the German health system. At SRC, we are a little proud to have contributed to securing this solution with our work,” says Randolf Skerka, Head of IS Management at SRC.
“This assessment was characterised by smooth and intensive coordination with the manufacturers RISE and IBM as well as gematik. Only in this way was it possible to ensure the high quality in the short time available,” says Dr. Jens Putzka on behalf of all colleagues involved at SRC.