Tuesday, September 24, 2013

PCI / PA DSS v3.0 - Payment Card Industry / Payment Application Data Security Standard Preview Released

PCI DSS v 3.0 and PA DSS v 3.0 :

                           Payment Card Industry / Payment Application Data Security Standard Version 3 Preview released and Change Highlighted below . 

 "PCI DSS and PA-DSS 3.0 will provide organizations the framework for assessing the risk involved with technologies and platforms and the flexibility to apply these principles to their unique payment and business environments, such as e-commerce, mobile acceptance or cloud computing,"



                           PCI Security Standards Council (PCI SSC) has published a highlights document outlining the coming enhancements to the PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) in version 3.0 of the two. The changes are oriented towards making PCI DSS part of companies’ business-as-usual activities rather than a yearly checkbox compliance act, by focusing on three key areas: introducing more flexibility, an increased focus on education and awareness, and security as a shared responsibility.



                                   PCI DSS applies to all organisations that process, store or transmit card holder data, whether as part of their merchant activities or as a service provider on behalf of a merchant. If as a merchant you contract all payment details to a 3rd party you still need to be compliant as you have responsibilities for ensuring the 3rd parties meet the standard.

The updated versions of PCI DSS and PA-DSS will:
  • Provide stronger focus on some of the greater risk areas in the threat environment
  • Provide increased clarity on PCI DSS & PA-DSS requirements
  • Build greater understanding on the intent of the requirements and how to apply them
  • Improve flexibility for all entities implementing, assessing, and building to the Standards
  • Drive more consistency among assessors
  • Help manage evolving risks / threats
  • Align with changes in industry best practices
  • Clarify scoping and reporting
  • Eliminate redundant sub-requirements and consolidate documentation
Over the next few months up to and including the new version of the PCI DSS we will be reviewing information from the PCI Security Standard Council and publicising the changes, so check our PCI DSS pages for updates.
Changes to the standards have been classified as Clarification, Additional Guidance and Evolving requirement. The evolving requirements are to ensure the standards are up to date with emerging threats and changes in the market such as mobile acceptance and cloud computing.
Throughout PCI DSS version 3.0 there are key themes that designed to help organisations take a proactive approach to cardholder data security:
  • Education and awareness
    Lack of education and awareness around payment security, coupled with poor implementation and maintenance of the PCI Standards, gives rise to too many of the security breaches happening today. Updates to the standards are geared towards helping organisations better understand the intent of requirements and how to properly implement and maintain controls across their business. Changes to PCI DSS and PA DSS will help drive education and build awareness internally and with business partners and customers.
  • Increased flexibility
    Changes to the standards focus on some of the most frequently seen risks that lead to incidents of cardholder data compromise - such as: weak passwords and authentication methods; malware; and poor self-detection - providing added flexibility on ways to meet the requirements. Increased flexibility will enable organisations to take a more customised approach to addressing and mitigating common risks and problem areas. At the same time, more rigorous testing procedures for validating proper implementation of requirements will help organisations drive and maintain controls across their business.
  • Security as a shared responsibility
    Securing cardholder data is a shared responsibility. Today’s payment environment has become ever more complex, creating multiple points of access to cardholder data. Changes introduced with PCI DSS and PA DSS focus on helping organisations understand their organisation’s PCI DSS responsibilities when working with different business partners to ensure cardholder data security.

Encryption and Key Management (section 3):

A lot of clarifications have been introduced in this part of the standard in order to ensure adequate protection of all encryption material. As an example of this, an additional emphasis has been put on testing procedures to specifically enforce things such as secure storage of the keys (HSM, etc.), separation of Key Encrypting Keys and Data Encrypting Keys, and to enforce Split Knowledge and Dual Control of the keys.

Secure Developments (section 6):

Again a lot of clarifications such as developers must be properly trained in secure coding techniques, developing secure applications also applies to applications developed by third parties and more stringent requirement on the use of a Web Application Firewall (WAF).It is also interesting to note that a new requirement will involve specifically protecting attacks again the PAN and SAD when insecurely handled in memory! This last requirement will be considered as best practice for the time being, before becoming mandatory on the 30th June 2015.

Role-base Access Control and User Management (sections 7 & 8):

Regarding access to systems, it is now made clear that each role must be clearly defined with all levels of privilege required for the role. We are also happy to see that an additional emphasis has been put on user IDs managed by vendors and third parties when they access their customer’s environment, yes, those account must be disabled when not in use. Also guidance on how to select strong authentication credentials (such as passwords!) must now be provided to users. 

Physical Security… now including POS devices! (section 9)

It is clearly making sense to include the protection of POS devices within the PCI DSS standard and things such as maintaining a list of such devices and training personnel on detecting tampering and substitution have now been included in the standard.

Penetration Testing (section 11)

The PCI community will be glad to know that a proper penetration testing methodology is now required. As per other requirements, it is now mandatory to ensure that those penetration tests follow industry-accepted best practices in order to ensure that their results are actually useful in evaluating the security of an environment. Interestingly, a number of new requirements are now enforcing things such as testing the efficiency of the controls used for segmentation, when segmentation is in place. 

Application Testing Boost in PCI 3.0

                     When it comes to application security, the Council will change some key requirements of the PA-DSS, according to a preview document released by the PCI SSC

Among them:

  • Requirement 5: this requirement governs development of secure applications. In Version 3.0, it will include enhanced requirements for system (read that “application”) development processes. Most important: PA-DSS version 3.0 will mandate periodic security reviews and require application threat modeling techniques and step to verify the integrity and security of application source code before an application is released to customers. The list of common vulnerabilities that application publishers must test against will also be brought into alignment with the latest version of common vulnerabilities from groups like OWASP, NIST, SANS, and so on, to make sure that that PA-DSS is aligned with current and emerging threats.
  • Requirement 7: this governs application requirements and testing procedures. It has been updated to make it clear that vendors must include release notes with each application update to help merchants determine whether the version of an application that they’re using is on the PA-DSS list of approved applications.
  • Requirement 14: this is a new requirement for the PA-DSS that will require training of integrators, resellers and vendor personnel.

 Download Link : 


RRN Technologies Team