Category: CommunityNew PCI Standards Come Into Force In The New Year

Share this post...Tweet about this on TwitterShare on Google+0Share on Facebook0
Photo Credits: Images of Money

Photo Credits: Images of Money

The Payment Card Industry (PCI) has issued an updated version of the PCI Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA DSS) that will come into force on January 1, 2014.

The eCommerce industry and the wider online ecosystem heavily depend on credit card transactions to function. Consumers need to have absolute trust that their credit card details are secure and private. The various standards issued by the Payment Card Industry are intended to help hosting companies and individual sellers to establish that trust. Every three years, the PCI makes changes to its standards to keep up with the evolving online ecosystem and potential threats. PCI 3.0, which was published earlier this month, is the most recent iteration of that process.

A number of new requirements and adjustments to old requirements have been published that web hosting companies need to be aware of.

Pen Testing

Req. 11.3 and 11.3.4 – implement a methodology for penetration testing; if segmentation is used to isolate the cardholder data environment from other networks, perform penetration tests to verify that the segmentation methods are operational and effective.

Usually, data centers and web hosts have a specific set of hardware that they make PCI compliant. The only real requirement here is that those parts of the network infrastructure that deal with handling payment and credit card details are included within the PCI scope. That creates a potential security weakness, because the areas not secured to the level demanded for PCI compliance may be breached in a way that allows access to the PCI-scoped region.

In PCI 3.0, there are additional requirement that obligate companies to provide evidence that their PCI-scoped infrastructure is inaccessible to the rest of the network. The best way to provide that evidence is through penetration testing, where teams attempt to hack the PCI-scoped areas from the internal network.

Per Customer Authentication

Req. 8.6 – where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.) these must be linked to an individual account and ensure only the intended user can gain access

In a clarification of the PCI 2.0 standards, it is now required that service providers with access to a customer’s system use unique authentication credentials for each customer, meaning that individual users will need unique certificates and security tokens.

Clarification Of Anti-Malware Requirement

It’s long been the standard that systems that interact with credit card data must be subject to malware risk assessment, but the rules have been clarified so that, for example, environments incapable of running anti-malware software, like mainframes, no longer prevent a data center from being compliant.

Web hosting companies should familiarize themselves with the changes, which are summarized in the PCI press release(pdf) and detailed in full in the documents section of their site.

Hosting IndustryPCISecurity
Nov 19, 2013, 11:53 amBy: InterWorx (0) Comments

Leave a Reply
Surround code blocks with <pre>code</pre>

Your email address will not be published.


Sign up to receive periodic InterWorx news, updates and promos!

New Comments

Current Poll

  • This field is for validation purposes and should be left unchanged.