Tag Archive for: PCI

PCI DSS v4.0

PCI DSS v4.0 blog entry for September

Timeline for PCI DSS v4.0 migration – What are the next steps?

With March 31, 2024, the end of PCI DSS v3.2.1 is approaching. All merchants accepting payments with cards of the inter­na­tional payment brands Visa, Mastercard, American Express, Discover, JCB, or UnionPay, and all service providers supporting them, should be prepared for PCI DSS v4.0.

But what should be done in particular, and when?

Gap analysis

The first step should be a gap analysis. Anyone who has not yet checked which new require­ments come up to them with PCI DSS v4.0 should do so as soon as possible! The reasons are obvious:

  • Imple­menting new require­ments will require time and resources.
  • PCI DSS profes­sionals who can advise on imple­men­tation are already well booked.

During the gap analysis, the new require­ments must be read, under­stood, and aligned with the existing landscape of controls. To under­stand the require­ments, it is extremely helpful to read not only the requirement itself, but also the extensive guidance that the PCI SSC has provided alongside each requirement within the standard:

  • The “Guidance” column (to the right of the requirement),
  • the objective being pursued by the requirement (below the requirement),
  • and, if available, the applic­a­bility note (below the requirement).

The intro­ductory chapters of PCI DSS v4.0 and the glossary in Appendix G can also support in under­standing termi­nology and applicability.

If you work with a PCI DSS expert at present, feel free to draw on their expertise and experience within this step already.

Priori­ti­sation

When all open items have been identified, timeframes and respon­si­bil­ities should be assigned. When assigning timeframes, the following should be considered:

  1. How long will the imple­men­tation take?

The imple­men­tation of new technical solutions often takes a long time due to internal depen­dencies. Often this comes together with low human resources. Issues that are expected to take a long time to implement need to be addressed earlier than those where a quick completion is expected.

  1. Are targeted risk analyses required?

In v4.0, for many regular tasks the frequency of perfor­mance is no longer prede­fined, but is to be deter­mined by a targeted risk analysis. The imple­men­tation of such targeted risk analyses must be coordi­nated inter­nally and hence requires time.

  1. Are there periods that are partic­u­larly good or bad for implementation?
    g. for policy changes, it can make sense to consider document review cycles. For technical changes, it makes sense to consider any freeze periods or release periods that have already been planned.
  2. Is the PCI DSS v4.0 deadline for this requirement 2024 or 2025?

For many funda­men­tally new require­ments in PCI DSS v4.0, the applic­a­bility notes state that the requirement is considered best practice until 31 March 2025, after which it is mandatory.

Require­ments without this note must be imple­mented by 31 March 2024 and might therefore require a higher prioritisation

Decisions

For some new require­ments, there are different ways to implement them. Examples are:

  • Requirement 3.4.2 calls for preventing copying/moving of PAN when accessing remotely (except for personnel with appro­priate business need). There can be several ways to implement this, too — e.g. via a setting in RDP when using the remote connection, or by preventing highlight­ing/­copy­ing/­mouse-right-clicking on PAN displays on according web pages.
  • Requirement 8.4.2 requires multi-factor authen­ti­cation (MFA) when accessing the Cardholder Data Environment (CDE).Depending on how the access towards the CDE takes place, it may make sense to enforce MFA at network level, at system level, or at appli­cation level. This decision must be well weighed with the various parties involved. Several parties may even have to work together on the solution.

Weigh up the impact of different solutions at an early stage!

Tracking and Assessing

Once you have priori­tised your tasks and decided on imple­men­tation paths: please do not sit back! The person or team respon­sible for maintaining PCI DSS compliance should stay in contact with the teams respon­sible for the implementation.

  • Are there any enquiries/comprehension issues?
  • Do any problems with the imple­men­tation arise?
  • Is the agreed target date at risk?

As soon as a new solution has been imple­mented, it should be checked whether it meets the corre­sponding PCI DSS requirement. External PCI DSS experts can also support with small interim pre-assess­ments in order to be on the safe side for the next official annual assessment.

Continuous Process

Once a requirement is met, there is no guarantee that it will remain so. Card data usage, technologies and attack vectors change. Already today, PCI DSS v3.2.1 comprises regular tasks for maintaining PCI DSS compliance. With PCI DSS v4.0, this is becoming even more of an ongoing process.

Therefore, get into the habit of putting your controls to the test repeatedly, and of adhering to the timeframes for recurring activ­ities (now precisely defined in chapter 7 of the PCI DSS). This will also make it easier for you to comply with new corre­sponding require­ments, such as e.g.

  • 2.4 / 7.2.5.1 Review of user accounts and assigned access rights,
  • 3 Review of risk assess­ments and review of the appro­pri­ateness and security of crypto­graphic algorithms, hardware and software technologies used,
  • 5 Validate the PCI DSS appli­cation scope; and
  • 6.2 Review of the security awareness programme.

Above All: Start!

This is the most important step. If you haven’t started yet, today is the best day to do so. Assemble a team and schedule time.

Should you need any assis­tance do not hesitate to contact Jana Ehlers via email.

SRC goes GEAR (Global Executive Assessor Roundtable)!

PCI SSC and SRC

The Payment Card Industry Security Standards Council (PCI SSC) is a global forum that develops and promotes the use of infor­mation security standards for secure payments. It is respon­sible for 15 globally recog­nized and widely used standards for securing electronic payment processes — from payment card production and issuance to payment at the point of interest or in web & app, to the processing of payments in the background.

SRC has been assessing the use of those infor­mation security standards since PCI SSC was founded by means of corre­sponding assess­ments and product evalu­a­tions. The PCI SSC attaches great impor­tance to the exchange between different stake­holders and uses various committees and activ­ities for this purpose. SRC has so far partic­i­pated in Special Interest Groups and Task Forces as well as in Community Meetings and Request for Comment phases.

Global Executive Assessor Roundtable

The PCI SSC has been giving experi­enced assessor companies the oppor­tunity to advise its senior management since 2018 through the Global Executive Assessor Round­table (GEAR). We are excited that our company has been selected this year to be part of the inter­faces between leadership of the PCI SSC itself and leadership of the assessment companies by this respon­sible membership. This will enable us to contribute our years of experience in a direct way. The nomination is valid for the next two years and gives us the oppor­tunity to play an influ­ential role in the further devel­opment of speci­fi­ca­tions for assessment proce­dures, new training programs and quali­fi­cation require­ments for future assessors. Other GEAR respon­si­bil­ities include finding ways to promote assessors’ engagement in emerging and new markets, and optimizing assessors’ skills to add value for payments companies

We are proud to be included in this circle and see it as a recog­nition of our past perfor­mance and relevance in the payments security market. At the same time, we are aware of our respon­si­bility to act as a repre­sen­tative for a large community of assessment companies and take this as an additional incentive for the future.

Link to GEAR: https://www.pcisecuritystandards.org/about_us/global_executive_assessor_roundtable/

Aspects of Common Criteria Certifications

Aspects of Common Criteria Certi­fi­ca­tions — Guest lecture at the Vienna University of Technology

Aspects of Common Criteria Certi­fi­ca­tions — this is the topic of the lecture that the experts of the SRC evalu­ation body for Common Criteria will address at the Vienna University of Technology. The lecture will take place on 10 May 2019 as part of the lecture IT Security in Large IT Infra­struc­tures at the Institute of Infor­mation Systems Engineering.

Common Criteria in science

With the help of Common Criteria for Infor­mation Technology Security Evalu­ation (CC), IT products can be evaluated regarding their security according to general criteria. As an inter­na­tionally recog­nised standard, Common Criteria is of interest to the scien­tific world. Initially, an evalu­ation is carried out by an evalu­ation body accredited by the German Federal Office for Infor­mation Security (BSI). SRC is accredited as such a CC evalu­ation body. The BSI then carries out the certification.

Guest lecture for students

The SRC experts will discuss the Aspects of Common Criteria Certi­fi­ca­tions at first hand. The lecture informs the students about the basic approach for product certi­fi­ca­tions according to Common Criteria. Infra­struc­tures in the European Union that rely on Common Criteria certi­fi­cation will be highlighted. The formal side including the respon­sible certi­fi­cation and recog­nition bodies will also be considered. The comparison of Common Criteria with other concepts concludes the lecture. Certi­fi­ca­tions according to technical guide­lines of the BSI, ISO27001 or the criteria of the Payment Card Industry (PCI) will be considered.

Tag Archive for: PCI