On September 12, 2013 the PCI SSC released the drafts of version 3 of the PCI DSS and PA-DSS. In reviewing the PCI DSS, there are six new requirements that will be considered ‘best practices’ until July 1, 2015 when they will become requirements.
- 6.5.6 – Insecure handling of PAN and SAD in memory.
- 6.5.11 – Broken Authentication and Session Management
- 8.5.1 – Service providers with access to customer environments must use a unique authentication credential (such as a password/phrase) for each customer environment.
- 9.9 – Protect point-of-sale (POS) devices that capture payment card data via direct physical interaction with the card from tampering and substitution.
- 11.3 – Develop and implement a methodology for penetration testing that: is based on industry-accepted penetration testing approaches (for example, NIST SP800-115), includes coverage for the entire CDE perimeter and critical systems, includes testing from both inside the network, and from outside of the network attempting to get in, includes testing to validate any segmentation and scope-reduction controls, defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5, defines network-layer penetration tests to include components that support network functions as well as operating systems, includes review and consideration of threats and vulnerabilities experienced in the last 12 months, and specifies retention of penetration testing results and remediation activities results.
- 12.9 – Additional requirement for service providers: Service providers acknowledge in writing to customers that they will maintain all applicable PCI DSS requirements to the extent the service provider handles, has access to, or otherwise stores, processes, or transmits the customer’s cardholder data or sensitive authentication data, or manages the customer’s cardholder data environment on behalf of a customer.
I will discuss requirements 6.5.6 and 11.3 in separate posts. I am not going to discuss 6.5.6 until I have a better understanding of how the PCI SSC expects QSAs to test that memory is being managed properly. I am avoiding 11.3 because it contains enough for a post of its own. But the others can be addressed in this post.
First, I have to say that I was amazed that these actually had to be codified as they are addressed through a number of other requirements. But having run into numerous instances where I have encountered these situations, I understand why the PCI SSC felt the need to explicitly codify them.
For requirement 6.5.11, the guidance provided states:
“Secure authentication and session management prevents unauthorized individuals from compromising legitimate account credentials, keys, or session tokens that would otherwise enable the intruder to assume the identity of an authorized user. “
This requirement is targeting the botnets and Trojan attacks such as with Citadel and Zeus. The problem here is that these are attacks on the end user, not the merchant. As a result, what this new requirement is going to likely be looking for is for the merchant to be using methods to secure authentication and communications such that man-in-the-middle, man-in-the-browser and similar attacks are minimized or even eliminated. It will be interesting to see how the PCI SSC expects this to be accomplished.
It has been a long time coming for 8.5.1. Most QSAs have encountered this situation and we never liked it. The situation that I speak of is managed service providers and software vendors using the same user identifier and password for all of their customers which they support. While one can appreciate why this occurs, it does create a problem should those common credentials become known outside of the organization which has been the case in a number of breaches. As a result, the PCI DSS has been changed to include this new requirement to require managed service providers and software vendors to use unique authentication credentials with each customer.
Requirement 9.9 is to explicitly address a best practice that has been used by a lot of merchants. A number of merchants have experienced the tampering of card terminals over the years. This typically was in the form of soldering a USB thumb drive or SD card into the terminal to collect track data and then replacing a good terminal with the doctored terminal at the merchant. This threat is typically mitigated by video monitoring of terminals as well as the use of serialized security tape or tamper evident seals over a terminal’s case seams that is checked at least daily to ensure that terminals have not been changed out or tampered with.
And finally, requirement 12.9 calls out that service providers explicitly acknowledge in a document that they will maintain compliance with the PCI DSS for all relevant services. Apparently the existing requirements in 12.8 were not providing enough assurance that service providers were complying with the PCI DSS. So now we are going to require that all service providers acknowledge, in writing, that they will maintain compliance with all relevant PCI DSS requirements for all services provided to their customers.