There's a new version of the Payment Card Industry standard for network security -- PCI 3.0 -- out today from the group overseeing its publication, the PCI Security Standards Council.
What's new in PCI 3.0
If your organization accepts or processes payment cards, here's what's new that you need to know:
[ InfoWorld presents the Bossies 2013, the best open source software for security, data centers, clouds, and more. | Keep up with key security issues with InfoWorld's Security Adviser blog and Security Central newsletter. ]
1. Implement a method for penetration testing of the network segments used for storing or processing payment cards. This network area is called "PCI scope" in the jargon of PCI standards and compliance testing. According to council general manager Bob Russo, the idea is you have to "demonstrate evidence that the environment scoped as PCI is truly inaccessible to the rest of the network." He says this is a new requirement because there hasn't been enough testing of the internal network.
But the council doesn't plan to have a list of approved penetration-testing products or services for this because it's assumed that the organization can do this on its own. "This is something new and will require additional work from service providers and merchants," says Rodolphe Simonetti, managing director of Verizon's Card Industry Services. He says the aim of the PCI penetration testing is to "validate scope," and basically that could be done through white-hat hacking methods to see if it's possible to break in to a defined PCI network segment. Simonetti also notes that using point-to-point encryption is one way to define network "scope" and Verizon believes P2P encryption will play a larger role in the future, especially in mobile-payments processing.
2. Physical security considerations related to payment-card data get more attention in PCI 3.0. Troy Leach, CTO at the council, says one new requirement involves "common-sense testing and looking for physical tampering of systems in the retail environment and face-to-face transactions." This especially pertains to physical point-of-sale systems, where recommendations are expected to be carried out to prevent card data being skimmed off by crooks. This might include things as simple as regularly looking at the point-of-sale device to see if it or connected wires have been tampered with. This goes for smaller as well as larger merchants, Troy points out. He adds that Qualified Security Assessors (QSA) that conduct formal assessments for purposes of PCI compliance can be expected to be asking in the future about what programs are in place to educate personnel about card skimming and fraud.