The recent release of PCI Data Security Standard version 3.2 represents an evolution in safeguarding payment data and is comprised of “Clarifications” and “Evolving Requirements”. It would be easy to minimize the importance of this incremental dot release, but a closer inspection reveals a fundamental change in how the standard views the Card Data Environment (CDE) and best practices for securing it.
The Data Security Standard: A Closer Look
Ever since PCI-DSS 1.0, the standard has required two-factor authentication for all remote access to the CDE. The underlying assumptions were:
- Anything outside the CDE was untrusted, requiring heightened access controls.
- Anything inside the CDE was considered trusted and as such, simple password authentication was sufficient.
These assumptions have been duly abandoned because of the numerous disastrous data breaches afflicting the retail industry and that continue to this day. It is important to note that many of these breaches occurred at organizations that were PCI compliant at the time. To understand the motivation for tightening and expanding access controls in the CDE, let’s first look at a summary of Requirement 8.3 of the standard.
A Reaction to New Best Practices
PCI-DSS 3.2 requires multi-factor authentication for all personnel with administrative access within the CDE and for remote access, as well. The following is taken from the PCI-DSS Summary of Changes document:
The two changes in Requirement 8.3 have profound implications for authentication security. First, specifying two-factor authentication was too limiting in scope. Substituting “multi-factor” for “two-factor” recognizes that the security landscape is evolving. New threat vectors will inevitably surface and cybercriminals are increasingly skilled at identifying and taking advantage of them. Three-factor authentication is now being considered as best practice authentication in both government and industry. A multi-layered security model should not be constrained by an arbitrary number of authentication factors.
Second, existing security provisions have repeatedly failed to keep bad actors out of the CDE with the result that there is no trusted zone any longer. Recent breaches confirm this. In many instances, bad actors gained access to internal IT environments using compromised credentials and proceeded to commandeer IT systems, create administrator accounts and masquerade as “trusted” internal actors, hiding in plain sight.
These new best practices are a welcome and much needed rethinking of the role of authentication in protecting card data. However, these updates are reactive in nature. PCI requirement updates are the result of a review process that examines current threats and data breach reports. Such an approach devolves into a game of catch up where security is all about responding to the last security breach. The real issue is that PCI-DSS only provides a baseline of security and not a complete security framework. After all, it only concerns itself with protecting card data. Organizations become fixated on meeting PCI compliance and often at the expense of adopting more comprehensive security frameworks, such as COBIT, ISO 27001 or NIST.
A Better Approach
A more holistic approach would be to integrate PCI-DSS into the wider IT Governance Domain, focusing on its five core pillars:
Designing such a security framework would actually make achieving and maintaining PCI-DSS compliance more certain. To this point, it is a sobering fact that 80% of all companies fall out of PCI Compliance shortly after completing their Risk Assessment or Report on Compliance (according to the Verizon PCI Compliance Report of 2015). This is clear evidence that organizations are making compliance their overriding objective instead of implementing IT Security best practices with compliance as a more manageable and sustainable secondary consideration.
Technical information of the PCI Data Security Standard version 3.2 can be accessed here.
Chris Trytten has over two decades of technical and managerial experience in systems and security at leading companies in Silicon Valley, including positions with Crossmatch, DigitalPersona, Interlink Networks, Apple, Siemens and Amdahl. In his current position as Market Solutions Manager at Crossmatch, he is using his experience serving the Financial and Retail markets by guiding the product and market teams to address the security needs of these industries. Chris is the author of multiple security white papers and articles.