Navigating Recent PCI Updates
The PCI Security Standards Council (PCI SSC) recently released guidance on emerging security technologies. They also released new versions of existing PCI standards. It’s important for developers and retail solution providers to understand how these updates affect their business and customers.
Let’s begin with the supplemental guidance on Point-to-Point Encryption and EMV released on October 5, 2010.
Point-to-Point Encryption (a.k.a. End-to-End Encryption) is an emerging technology that encrypts card data when initially swiped or keyed. Systems in between that never come into contact with the plain text account number and have no way to retrieve the account number can be considered out of PCI scope. The PCI SSC plans to release a Point-to-Point Encryption validation standard in the future. In the meantime, their current guidance document provides a wealth of information for evaluating solutions.
EMV (a.k.a. Chip and PIN) is a standard that makes use of an embedded chip for card-present transactions. Because the chip cannot be copied and transactions require entering the customer’s PIN, EMV transactions can be considered authentic with a high degree of certainty. Merchants who only accept EMV card-present transactions experience significantly less fraud and chargebacks. However, EMV transactions still require the POS to handle sensitive data such as account numbers. PCI requirements still apply. EMV is gaining traction globally, but presents a significant cost to deploy in the U.S. due to the extensive infrastructure already in place.
On October 28, 2010, the PCI SSC released the PCI DSS 2.0 and PA-DSS 2.0 standards. These new versions become effective on January 1, 2011. The PCI DSS standard applies to merchants accepting credit card payments and third party service providers handling card data on behalf of merchants. Developers of hosted solutions are an example of service providers. The PA-DSS standard is for software distributed to merchants that handle credit card data in their environment.
The updates to both standards primarily consist of rewording and restructuring the existing requirements to make them less convoluted. As a result, the interpretation of requirements by you or your QSA may need to change in some cases. There are also a few new requirements. Make sure you understand the changes and additional requirements before performing a PCI DSS or PA-DSS 2.0 validation. The preparation effort is certainly worth the time and energy. Entering a validation unprepared always adds unexpected costs and delays.
To prepare, I recommend reviewing the Summary of Changes documents made available on the PCI SSC web site. Compare the 2.0 standards to the 1.2.1 standards wherever a change was made. Consult other supplemental documents made available on the PCI SSC web site as needed. Expect to perform a lot of cross-checking during this process. Make sure to pay special attention to the new PCI requirements, referred to as “evolving requirements.”
In the PCI DSS 2.0, there are two new requirements.
- Requirement 6.2 expands on identifying vulnerabilities and security patches by requiring you to rank them. Most vulnerabilities are assigned a Common Vulnerability Scoring System (CVSS) score that can be used for this purpose.
- Requirement 6.5.6 expands on avoiding the introduction of new vulnerabilities with internally developed software to include new types of vulnerabilities ranked as “High” in requirement 6.2.
In the PA-DSS 2.0, there are three new requirements.
- PA-DSS requirement 4.4 is to facilitate centralized logging which helps merchants meet PCI DSS requirement 10.5.3. Example formats provided are Common Log File System (CLFS), Syslog, and delimited text.
- PA-DSS 7.1 adds the requirement to rank identified vulnerabilities in support of PCI DSS requirement 6.2. The CVSS may be used for this purpose.
- PA-DSS 5.2.6 expands on avoiding the introduction of new vulnerabilities in software development to include new types of vulnerabilities ranked as “High” in requirement 7.1.
Ever changing PCI guidance and standards can be overwhelming. But PCI is here to stay and compliance is necessary. The industry as a whole, especially POS developers, resellers, and merchants benefit when we take time to incorporate updates and emerging technologies into business practices. For more information, contact Mercury at 800-846-4472 or email PCIpartner@MercuryPay.com.
Mercury makes no representations or warranties to the accuracy of the above information and any reliance or other use of the above information is at your own risk. For the definitive PCI standards, visit the PCI Security Standards Council web site at https://www.pcisecuritystandards.org.