Connect with us

Tech

PCI DSS 3.2 – Important 31 January 2018 Deadline & Clarifications

code

Overview

In April 2016, Version 3.2 of the Payment Card Industry Data Security Standard (PCI DSS) was released. This new version of the standard contains a number of new requirements which come into full force as of 1 February 2018. This document provides an overview of what is new in Version 3.2, separated by:

  • Clarification of requirements that came into force for all Version 3.2 reports.
  • New requirements that come into force for all parties (merchants and service providers) as of 1 February 2018.
  • New requirements that come into force for service providers only as of 1 February 2018.
  • Sunset date for SSL and Early TLS.

This document summarises what Confide has seen from assessments undertaken since Version 3.2 was released and the information that has been provided by the PCI Security Standards Council.

Clarification (Applicable for all 3.2 reports)

1.1.6.a: Identify the firewall and router configuration standards document(s) reviewed to verify the document(s) contain a list of all services protocols, and ports necessary, including a business justification and approval for each.

These approvals should be granted by someone other than a person who is responsible for managing the configuration. For example, this might include a Security Officer or other role who is responsible for overseeing the PCI DSS process internally, or by someone outside of the standard team of people who are responsible for performing the day to day management of network devices.

6.5: Address common coding vulnerabilities in software-development processes as follows:

  • Train developers at least annually in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities.
  • Develop applications based on secure coding guidelines.

The requirement for developer training is not new. However, in Version 3.2, it was clarified that this training must take place for all developers at least annually. We also recommend that testers attend this training as well to ensure that they are adequately equipped to test for basic security vulnerabilities.

11.3.4.c: Verify that the [segmentation penetration test] was performed by a qualified internal resource or qualified external third party, and if applicable, the organisational independence of the tester exists (not required to be a QSA or ASV).

The requirement for segmentation testing is not new. However, in Version 3.2, a clarification was made that brings the requirement for how segmentation penetration testing into line with the requirements for internal and external penetration testing. The person performing the segmentation testing must be either a qualified internal resource or external third party, and there must be sufficient organisational independence (e.g. the penetration testing should not be done by individuals who are responsible for the day to day management of the systems or who report directly to staff who are responsible for these teams).

12.3.3: Verify that the usage policies define:

  • A list of all critical devices, and
  • A list of personnel authorised to use the devices

The wording of this requirement has been adjusted to ensure that it is clear that the usage policies must include both a list of the critical devices in the environment and a list of the personnel authorised to use the devices. This needs to be documented and cannot be considered “self-documenting” as part of a system such as Active Directory or LDAP.

Additional Requirements for All Parties (as of 1 February 2018)

There are several new requirements that come into force for both merchants and service providers.

6.4.6: Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable.

To ensure that this requirement is met, Confide recommends that a clear definition of what constitutes a “significant change” be defined within the processes so that it is possible for staff to identify when this level of review is required. While the PCI Council does not provide a definitive definition of what constitutes a significant change, guidance from Requirement 11.2 suggests this includes (but is not limited to):

  • New system component installations
  • Changes in network topology
  • Firewall rule modifications
  • Product upgrades
  • Operating system upgrades
  • Sub-networks being added to the environment
  • New web servers

Once significant changes have been defined, we recommend developing a set of templates for reviewing the relevant PCI DSS requirements to ensure that both (1) the relevant requirements have been put in place prior to the system going live, and (2) sufficient testing has been done to meet the requirements for PCI DSS (e.g. penetration testing, vulnerability scanning, etc.) Incorporating this into the change control process is one option.

8.3.1: Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.

The PCI Security Standards Council recently published a guidance document on what constitutes multi-factor authentication (see: https://www.pcisecuritystandards.org/pdfs/Multi-Factor-Authentication-Guidance-v1.pdf.

In this document they provide a number of examples of what does and does not constitute multi-factor authentication and where multi-factor can be placed in the environment. We also recommend reviewing the PCI Security Standards Council’s guidance on Segmentation and Scoping (see:

https://www.pcisecuritystandards.org/documents/Guidance-PCI-DSS-Scoping-and-Segmentation_v1.pdf as the way that multi-factor is implemented may be influenced by how you have decided to segment the environment.

Additional Service Provider Requirements (as of 1 February 2018)

These new requirements are currently only applicable to service providers. As defined by the PCI DSS, a service provider is any business that is directly involved in the processing, storage, or transmission of cardholder data on behalf of another organisation, or that otherwise impacts the security of cardholder data.

3.5.1: Maintain a documented description of the cryptographic architecture that includes:

  • Details of all algorithms, protocols, and keys used for the protection of cardholder data, including key strength and expiry date
  • Description of the key usage for each key
  • Inventory of any HSMs and other SCDs used for key management

While policies and procedures for key management and the management of encryption devices has long been required, this requirement set out a new level of detail that must be documented around how cardholder data is protected. In part, this also helps the organisation to keep up with evolving threats to the architecture, and to be able to detect lost or missing keys or associated devices.

10.8: Implement a process for the timely detection and reporting of failures of critical security control systems, including but not limited to failure of:

  • Firewalls
  • IDS/IPS
  • FIM
  • Anti-virus
  • Physical access controls
  • Logical access controls
  • Audit logging mechanisms
  • Segmentation controls (if used)

This requirement is aimed at addressing the increased threat of intrusions going undetected for an extended amount of time. In order to ensure that there is a timely process for detecting failures in place, this requires a proactive process to be in place. There is not yet any clear guidance on what constitutes a timely manner. However, automated tools are likely to make this task significantly easier.

10.8.1: Respond to failures of any critical security controls in a timely manner. Processes for responding to failures in security controls must include:

  • Restoring security functions
  • Identifying and documenting the duration (date and time start to end) of the security failure
  • Identifying and documenting cause(s) of failure, including root cause, and documenting remediation required to address root cause
  • Identifying and addressing any security issues that arose during the failure
  • Performing a risk assessment to determine whether further actions are required as a result of the security failure
  • Implementing controls to prevent cause of failure from reoccurring
  • Resuming monitoring of security controls.

While this requirement relates directly to the incidents identified in Requirement 10.8, this requirement relates to the incident management procedures and extends the procedures in the event that a critical security control fails. Due to the newness of this requirement and the extensive reporting requirements that go along with it, we recommend that this process is tested as part of the process development to ensure that the processes can be embedded within the incident processes for the organisation.

11.3.4.1: If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.

While this is a new requirement, it extends the exiting requirement for organisations that use segmentation to test the effectiveness of that segmentation. This new requirement increases the frequency with which service providers must perform this testing. While there is no requirement for the testing to be done by an external, third party, any internal party must be both (1) able to demonstrate that they are appropriately qualified to perform the testing, and (2) that they are organisationally independent.

12.4.1: Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program to include:

  • Overall accountability for maintaining PCI DSS compliance
  • Defining a charter for a PCI DSS compliance program and communication to executive management.

The remaining new requirements are focused on the overarching governance processes to help ensure that PCI DSS is not treated as a point-in-time event, but instead is integrated into the BAU processes. As part of that, there needs to be a commitment at the senior level to ensure that PCI DSS is visible at the executive level.

12.11: Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. Reviews must cover the following processes:

  • Daily log reviews
  • Firewall rule-set reviews
  • Applying configuration standards to new systems
  • Responding to security alerts
  • Change management processes

This requirement and Requirement 12.11.1 help to ensure that processes are regularly reviewed to ensure that they are being followed. While this requirement is not meant to repeat the testing from the PCI DSS requirements, understanding the underlying intention of each of these requirements should guide how the review process is carried out. This also helps to ensure that failures in processes can be identified early, so as to minimise the risk to PCI DSS compliance.

12.11.1: Maintain documentation of quarterly review processes to include:

  • Documenting results of the reviews
  • Review and sign off of results by personnel assigned responsibility for the PCI DSS compliance program.

This requirement ties together the review documentation from Requirement 12.11 and the governance processes from Requirement 12.4, and helps to ensure that there is a clear visibility into how processes that affect PCI DSS compliance are visible to senior management.

TLS Requirements (1 July 2018)

After 30 June 2016, all entities must have stopped use of SSL/early TLS as a security control, and only use secure versions of the protocol.

Prior to 30 June 2018, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place.

Appendix 2 covers the requirements for SSL / Early TLS.

Given the impending deadline for disabling SSL and Early TLS, we recommend that reviewing the current need for these protocols is done on a more frequent basis to determine if it is possible to disable them prior to the deadline.

Confide is New Zealand’s Premier Security Assessment Company for the Payment Card Industry.

BusinessArticles is the popular online Hub for quality business articles. We publish unique articles and share them with our social followers.

Continue Reading

Tech

5 Must-have Apps For Business Travellers

travel

Travelling for business is still a must-do for many professions in most industries, today. While you may not be travelling to as many meetings as you used to, due to the prevalence of video call apps, not all meetings are successful this way.

Meeting your client or prospective customer in-person is better for closing deals. Therefore don’t put off that all-important business trip, as you can reduce the stresses of organising your travel, business meetings and accommodation with the assistance of technology.

Technology Is A Game-changer For Travel

The whole travel process is now a lot more bearable, with these must-have business travel apps, so check out our top picks.

1. Expensify

When you’re busy navigating transport and prepping for important business meetings, the last thing you want to be worrying about is keeping track of your expenses. Enter Expensify – it does the job for you.

Simply take a picture of your receipts (no matter what the currency) and the clever little app will automatically submit the expense for approval and reimbursement. As if that weren’t enough, it also has GPs tracking, so you can accurately record your mileage too.

2. GetYourGuide

No business trip should be all work and no play, and with GetYourGuide on your phone, you’ll be able to find fun things to do.

This fantastic app shows you the best sight-seeing tours and activities in your destination, and lets you book tickets for them, including the queue-jump variety – perfect if you’re pushed for spare time.

Plus, you can use it offline to access your mobile ticket, directions to your activity and supplier contact details.

3. PackPoint

 PackPoint is a helpful little app that puts together a personalised packing list for you, by reviewing factors such as the type of trip (business or leisure), the duration, the weather, and even whether you’ll have access to washing facilities.

Also, the app creates a link for your list which you can share with your colleagues if they’re a little bit bamboozled about what to pack – check out this PackPoint demo video on YouTube to see it in action.

4. Flio

A stressful visit to the airport is the last thing you need at the start of a business trip, however, with Flio installed, you’ll have an expert airport assistant by side.

This awesome app provides instant airport updates, which means you’ll be the first to know about delays, gate changes and other essential flight-related info.

In addition to this, it has airport guides for more than 300 hubs, lets you purchase airport services such as lounge access and helps you log in to the airport’s official wi-fi – what more could you want?

5. Waze

The Waze navigation app gives you info about traffic, roadworks, accidents and other factors that can cause delays, and even adapts your route so you can reach the airport as quickly as possible.

It also links to other apps, so you can enjoy some travel tunes or your favourite business podcast as your cruise on over to the airport. For example, if you are driving to the airport, you can compare Airport parking deals for East Midlands, Heathrow and most major UK hubs. Just think of the time and expense saved by knowing in advance the costs associated with parking!

With these five fantastic apps on your phone, you don’t need to leave anything to chance, you can look forward to less stress and more fun on your next business trip. Plus with more time between meetings you can see the sights and do some shopping for family and friends, and yourself too.

We hope that these awesome business travel apps have got you excited. Let us know what you think of them and tell us about your own favourites in the comments section.

Continue Reading

Tech

Can Phone Screens Be Replaced?

smartphone

Even with a protective case and screen protector, there are some situations which will inevitably result in your smartphone’s screen being damaged. From dropping your phone in water to dropping it on concrete, your phone’s screen may eventually need to be repaired or replaced.

Thankfully, there are ways to service your phone without spending a lot of money or sending your phone to the manufacturer in the mail. If you simply search for “cell phone repair near me,” you’ll be able to choose from dozens of local third party services. Here is a quick rundown of the types of situations in which you’ll need to replace your phone screen.

Broken or cracked screen

Fixing a cracked screen is one of the most common phone repairs performed. Generally, this procedure involves removing the broken screen glass and replacing it with a new piece of glass. While you may be able to buy a repair kit online, it’s generally advised that you take your phone to a professional to fix its screen.

This ensures that the repair is done correctly and that you don’t accidentally make matters worse and cause other issues with your phone. A third party service can perform a screen repair quote quickly, allowing you to get back to using your phone in no time at all.

Pressure spots or dead pixels

While not as drastic to your phone’s performance as some of the other issues on this list, dead pixels and pressure spots can severely limit your ability to use your phone to its fullest.

A dead pixel occurs when one of the lights in your phone’s LCD burns out, usually leaving a permanently black or white pixel in its place. While one or two dead pixels can generally be ignored, multiple missing pixels can be particularly frustrating, especially if they’re in key areas on your screen.

The same can be said for pressure spots, which are fingerprint sized discolorations that can obscure even more of your phone’s user interface. Sometimes, users will dismiss these problems and treat them like cosmetic defects. However, it’s best to take care of these before they develop into even bigger problems.

Unresponsive touch screen

An unresponsive touch screen is one of the most serious problems you can run into with your smartphone, and it may take some troubleshooting to rule out other issues. For example, sometimes your iPhone or Android might freeze, but you can still restart your phone. Even resetting your smartphone to factory default is worth a try if you’ve backed up your device’s data and are really looking to fix the problem.

If none of these workarounds rule out your problem, it may be time to take your phone to a professional. The touch screen of a phone features complex circuitry and features that make it crucial to be addressed by an experienced technician. That being said, you don’t necessarily have to go back to the manufacturer for these kinds of repairs. Third party services are often much cheaper.

Water damage

While a bit more rare than other screen problems, if water gets between your glass and the circuitry of your LCD touch screen, the results can be disastrous. In most situations, recovery of your phone comes down to numerous factors, which is why it’s best not to get your hopes up if even a little moisture made it to your phone’s central processor or motherboard.

For this reason, third party companies generally won’t charge a fee for the diagnostic work associated with water damage. Instead, a technician will do their best to determine what work might be able to be accomplished to salvage your hardware and, most importantly, your data.

While replacing the phone in its entirety is usually the end result, sometimes replacing the screen and drying out the phone is possible. So it’s always a good idea to have your phone looked at before you throw in the towel.

While the simple answer to the question “Can my phone’s screen be replaced?” is “yes”, the longer answer is that it depends on the issue your phone is facing. If any of the above issues are happening to your phone, take your device in to a professional technician to see how they may be able to service it.

Continue Reading

Tech

Court Reporting Versus Digital Recording: Which Is The Better Option?

When it comes to informational accuracy, technology surpasses human intelligence in several circumstances, but are court hearings included?

digital

When it comes to informational accuracy, technology surpasses human intelligence in several circumstances, but are court hearings included? Surprisingly enough, they’re not.

While some people may go along with the potential obsolescence of court reporters and the deployment of digital recording as a sole reporting method, that may not be fully recommended for a number of reasons. Modern technology and artificial intelligence are optimizing day-to-day tasks and facilitating operations that would otherwise take long hours to be completed. On the other hand, despite their systematized functioning, electronic devices aren’t failure-proof. That’s where the human element makes an entrance.

Digital recording: the latest technology for accurate documentation

Digital reporting or electronic reporting is, in the words of the American Association of Electronic Reporters and Transcribers, the “use of professional-level audio recording systems to register court proceedings.” Those unfamiliar with the judicial scenery might consider the presence of a human court reporter unnecessary in any case – after all, an electronic device has a faster and stricter capability of collecting crucial information. Still, electronics malfunction, break, and regardless of outside conditions, they’ll only work according to their primary function, which isn’t optimal when you think about it.

When taking human failure rates into account, however, one may find that there’s a high risk of information loss and defective machine performance. In ideal conditions, the recording device would be working properly, and all members would respect their time to speak. Yet, it’s common for litigants lower their voices or speak almost inaudibly in certain instances, which may or may not be caught by a recording device. Additionally, not everyone will keep their speeches stable in court and member will sometimes interrupt one another. When such situations meet poor device functioning, bad audio quality, and human error (e.g. forgetting to press the “record” button), a bunch of missing information could compromise the case and information could be gone permanently.

The job of court reporters is still critical for complete reports

Court reporters are highly trained professionals who are knowledgeable about legal proceedings and emergent technologies. Their expertise and dexterity is based on years of training, which qualifies them to document entire judicial processes. Just for reference, a person must be able to type about 225 words per minute in order to pass the United States Registered Professional Reporter Test.

Another major difference between digital recordings and court reporters is that the best professionals have an expedited turnaround of all transcripts, as is the case with skillful Miami court reporters. Some court cases require faster processing and a shorter turnaround time for being more complicated than others, which once again favors the reporters’ set of skills. They won’t simply deliver transcripts on time — they’ll interpret them, clarify misheard sentences with heavy accents, for example, and offer real-time technology so every court member, including the hard of hearing, has instant access to transcripts. Their role makes sure to benefit judges and jurors alike, providing information that can be accessed in person or remotely.

Should one be employed without the other?

Without technological assistance, the job of court reporters would be harder. For this reason, their education and certifications must always meet high standards of innovation and deliver extremely precise transcripts in a short period of time.

For all-encompassing and error-free documentation, digital recordings paired with the proficiency of a court reporter would be suitable. However, reliable and proficient reporters are always up-to-date with the latest technologies to capture hearings accurately, so the extra cost of a recording device might not be necessary. Court reporters are, at least in the predictable future, the best voice-to-text transcriptors courts can rely on.

Continue Reading

Trending