The Payment Card Industry (PCI) has issued an updated version of the PCI Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA DSS) that will come into force on January 1, 2014.
The eCommerce industry and the wider online ecosystem heavily depend on credit card transactions to function. Consumers need to have absolute trust that their credit card details are secure and private. The various standards issued by the Payment Card Industry are intended to help hosting companies and individual sellers to establish that trust. Every three years, the PCI makes changes to its standards to keep up with the evolving online ecosystem and potential threats. PCI 3.0, which was published earlier this month, is the most recent iteration of that process.
A number of new requirements and adjustments to old requirements have been published that web hosting companies need to be aware of.
Req. 11.3 and 11.3.4 – implement a methodology for penetration testing; if segmentation is used to isolate the cardholder data environment from other networks, perform penetration tests to verify that the segmentation methods are operational and effective.
Usually, data centers and web hosts have a specific set of hardware that they make PCI compliant. The only real requirement here is that those parts of the network infrastructure that deal with handling payment and credit card details are included within the PCI scope. That creates a potential security weakness, because the areas not secured to the level demanded for PCI compliance may be breached in a way that allows access to the PCI-scoped region.
In PCI 3.0, there are additional requirement that obligate companies to provide evidence that their PCI-scoped infrastructure is inaccessible to the rest of the network. The best way to provide that evidence is through penetration testing, where teams attempt to hack the PCI-scoped areas from the internal network.
Per Customer Authentication
Req. 8.6 – where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.) these must be linked to an individual account and ensure only the intended user can gain access
In a clarification of the PCI 2.0 standards, it is now required that service providers with access to a customer’s system use unique authentication credentials for each customer, meaning that individual users will need unique certificates and security tokens.
Clarification Of Anti-Malware Requirement
It’s long been the standard that systems that interact with credit card data must be subject to malware risk assessment, but the rules have been clarified so that, for example, environments incapable of running anti-malware software, like mainframes, no longer prevent a data center from being compliant.