Connect with us

Tech

PCI DSS 3.2 – Important 31 January 2018 Deadline & Clarifications

code

Overview

In April 2016, Version 3.2 of the Payment Card Industry Data Security Standard (PCI DSS) was released. This new version of the standard contains a number of new requirements which come into full force as of 1 February 2018. This document provides an overview of what is new in Version 3.2, separated by:

  • Clarification of requirements that came into force for all Version 3.2 reports.
  • New requirements that come into force for all parties (merchants and service providers) as of 1 February 2018.
  • New requirements that come into force for service providers only as of 1 February 2018.
  • Sunset date for SSL and Early TLS.

This document summarises what Confide has seen from assessments undertaken since Version 3.2 was released and the information that has been provided by the PCI Security Standards Council.

Clarification (Applicable for all 3.2 reports)

1.1.6.a: Identify the firewall and router configuration standards document(s) reviewed to verify the document(s) contain a list of all services protocols, and ports necessary, including a business justification and approval for each.

These approvals should be granted by someone other than a person who is responsible for managing the configuration. For example, this might include a Security Officer or other role who is responsible for overseeing the PCI DSS process internally, or by someone outside of the standard team of people who are responsible for performing the day to day management of network devices.

6.5: Address common coding vulnerabilities in software-development processes as follows:

  • Train developers at least annually in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities.
  • Develop applications based on secure coding guidelines.

The requirement for developer training is not new. However, in Version 3.2, it was clarified that this training must take place for all developers at least annually. We also recommend that testers attend this training as well to ensure that they are adequately equipped to test for basic security vulnerabilities.

11.3.4.c: Verify that the [segmentation penetration test] was performed by a qualified internal resource or qualified external third party, and if applicable, the organisational independence of the tester exists (not required to be a QSA or ASV).

The requirement for segmentation testing is not new. However, in Version 3.2, a clarification was made that brings the requirement for how segmentation penetration testing into line with the requirements for internal and external penetration testing. The person performing the segmentation testing must be either a qualified internal resource or external third party, and there must be sufficient organisational independence (e.g. the penetration testing should not be done by individuals who are responsible for the day to day management of the systems or who report directly to staff who are responsible for these teams).

12.3.3: Verify that the usage policies define:

  • A list of all critical devices, and
  • A list of personnel authorised to use the devices

The wording of this requirement has been adjusted to ensure that it is clear that the usage policies must include both a list of the critical devices in the environment and a list of the personnel authorised to use the devices. This needs to be documented and cannot be considered “self-documenting” as part of a system such as Active Directory or LDAP.

Additional Requirements for All Parties (as of 1 February 2018)

There are several new requirements that come into force for both merchants and service providers.

6.4.6: Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable.

To ensure that this requirement is met, Confide recommends that a clear definition of what constitutes a “significant change” be defined within the processes so that it is possible for staff to identify when this level of review is required. While the PCI Council does not provide a definitive definition of what constitutes a significant change, guidance from Requirement 11.2 suggests this includes (but is not limited to):

  • New system component installations
  • Changes in network topology
  • Firewall rule modifications
  • Product upgrades
  • Operating system upgrades
  • Sub-networks being added to the environment
  • New web servers

Once significant changes have been defined, we recommend developing a set of templates for reviewing the relevant PCI DSS requirements to ensure that both (1) the relevant requirements have been put in place prior to the system going live, and (2) sufficient testing has been done to meet the requirements for PCI DSS (e.g. penetration testing, vulnerability scanning, etc.) Incorporating this into the change control process is one option.

8.3.1: Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.

The PCI Security Standards Council recently published a guidance document on what constitutes multi-factor authentication (see: https://www.pcisecuritystandards.org/pdfs/Multi-Factor-Authentication-Guidance-v1.pdf.

In this document they provide a number of examples of what does and does not constitute multi-factor authentication and where multi-factor can be placed in the environment. We also recommend reviewing the PCI Security Standards Council’s guidance on Segmentation and Scoping (see:

https://www.pcisecuritystandards.org/documents/Guidance-PCI-DSS-Scoping-and-Segmentation_v1.pdf as the way that multi-factor is implemented may be influenced by how you have decided to segment the environment.

Additional Service Provider Requirements (as of 1 February 2018)

These new requirements are currently only applicable to service providers. As defined by the PCI DSS, a service provider is any business that is directly involved in the processing, storage, or transmission of cardholder data on behalf of another organisation, or that otherwise impacts the security of cardholder data.

3.5.1: Maintain a documented description of the cryptographic architecture that includes:

  • Details of all algorithms, protocols, and keys used for the protection of cardholder data, including key strength and expiry date
  • Description of the key usage for each key
  • Inventory of any HSMs and other SCDs used for key management

While policies and procedures for key management and the management of encryption devices has long been required, this requirement set out a new level of detail that must be documented around how cardholder data is protected. In part, this also helps the organisation to keep up with evolving threats to the architecture, and to be able to detect lost or missing keys or associated devices.

10.8: Implement a process for the timely detection and reporting of failures of critical security control systems, including but not limited to failure of:

  • Firewalls
  • IDS/IPS
  • FIM
  • Anti-virus
  • Physical access controls
  • Logical access controls
  • Audit logging mechanisms
  • Segmentation controls (if used)

This requirement is aimed at addressing the increased threat of intrusions going undetected for an extended amount of time. In order to ensure that there is a timely process for detecting failures in place, this requires a proactive process to be in place. There is not yet any clear guidance on what constitutes a timely manner. However, automated tools are likely to make this task significantly easier.

10.8.1: Respond to failures of any critical security controls in a timely manner. Processes for responding to failures in security controls must include:

  • Restoring security functions
  • Identifying and documenting the duration (date and time start to end) of the security failure
  • Identifying and documenting cause(s) of failure, including root cause, and documenting remediation required to address root cause
  • Identifying and addressing any security issues that arose during the failure
  • Performing a risk assessment to determine whether further actions are required as a result of the security failure
  • Implementing controls to prevent cause of failure from reoccurring
  • Resuming monitoring of security controls.

While this requirement relates directly to the incidents identified in Requirement 10.8, this requirement relates to the incident management procedures and extends the procedures in the event that a critical security control fails. Due to the newness of this requirement and the extensive reporting requirements that go along with it, we recommend that this process is tested as part of the process development to ensure that the processes can be embedded within the incident processes for the organisation.

11.3.4.1: If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.

While this is a new requirement, it extends the exiting requirement for organisations that use segmentation to test the effectiveness of that segmentation. This new requirement increases the frequency with which service providers must perform this testing. While there is no requirement for the testing to be done by an external, third party, any internal party must be both (1) able to demonstrate that they are appropriately qualified to perform the testing, and (2) that they are organisationally independent.

12.4.1: Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program to include:

  • Overall accountability for maintaining PCI DSS compliance
  • Defining a charter for a PCI DSS compliance program and communication to executive management.

The remaining new requirements are focused on the overarching governance processes to help ensure that PCI DSS is not treated as a point-in-time event, but instead is integrated into the BAU processes. As part of that, there needs to be a commitment at the senior level to ensure that PCI DSS is visible at the executive level.

12.11: Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. Reviews must cover the following processes:

  • Daily log reviews
  • Firewall rule-set reviews
  • Applying configuration standards to new systems
  • Responding to security alerts
  • Change management processes

This requirement and Requirement 12.11.1 help to ensure that processes are regularly reviewed to ensure that they are being followed. While this requirement is not meant to repeat the testing from the PCI DSS requirements, understanding the underlying intention of each of these requirements should guide how the review process is carried out. This also helps to ensure that failures in processes can be identified early, so as to minimise the risk to PCI DSS compliance.

12.11.1: Maintain documentation of quarterly review processes to include:

  • Documenting results of the reviews
  • Review and sign off of results by personnel assigned responsibility for the PCI DSS compliance program.

This requirement ties together the review documentation from Requirement 12.11 and the governance processes from Requirement 12.4, and helps to ensure that there is a clear visibility into how processes that affect PCI DSS compliance are visible to senior management.

TLS Requirements (1 July 2018)

After 30 June 2016, all entities must have stopped use of SSL/early TLS as a security control, and only use secure versions of the protocol.

Prior to 30 June 2018, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place.

Appendix 2 covers the requirements for SSL / Early TLS.

Given the impending deadline for disabling SSL and Early TLS, we recommend that reviewing the current need for these protocols is done on a more frequent basis to determine if it is possible to disable them prior to the deadline.

Confide is New Zealand’s Premier Security Assessment Company for the Payment Card Industry.

BusinessArticles is the popular online Hub for quality business articles. We publish unique articles and share them with our social followers.

Continue Reading

Innovation

How To Grab Attention On Video Conference Calls

woman on phone

We are in the age of ‘COVID-19’, and our lives will never be the same again. Expect to be working from home more and with it using video conferencing for meetings with colleagues, management and customers. In-person meetings allow for verbal and non-verbal cues. Body language can play a significant role in negotiation, for example.

Changes in body language or small facial expressions can provide observers, i.e. the meeting attendees messages on how to respond to get the right outcome. If you’re someone who uses non-verbal cues to sway discussion in your favour, then video-conferencing is a challenge. So how can we get what we need from these online meetings using what we have at hand, i.e. the small visuals of meeting attendees?

In this article, we provide tips on how you can get your points across, even when the other attendees are more extroverted than you.

Use The Camera

Focus on the camera and what it can do for you. There is a temptation to stare at your screen and the other attendees in the meeting. Get past this action as soon as you can. Allow yourself a few minutes to view all the other participants then turn your attention to the meeting’s contents.

Active listening is required and if it helps you to remember what is being discussed – take notes. To assist this action further say which participant explained the point, for example, Attendee John (Manager): “we will now always work from home two days a week”.

When you’re talking stare into the camera and not at the attendees faces on your screen. This is very unnatural, and at first, you’ll think you’re rude or ill-mannered by not looking at the attendees like you would if you were in an in-person meeting. However, looking deeply into the camera not only focuses you on what you’re saying, but you also won’t get distracted with attendees non-verbal distractions.

Mastering the skills for video conferencing productivity will take practice. The multi-tasking of taking notes while actively listening and remembering to optimise the time spent looking into the camera will be your juggling act!

What you’re working against is human nature and the obsession we have with ourself. Dale Carnegie says if we’re not thinking about a project, we’re thinking about ourselves. A lot of time is spent and indeed wasted thinking about how we feel, what we want, and what other people think of us, so you can see what you’re up against to master video conference meetings as an active participant or meeting lead.

Use Your Voice

Understanding the basics of human nature can be gained from studying neuroscience or neurolinguistic programming. Introverts are less likely to sit tall or speak up than extroverts; however, they can practice doing both, and without the non-verbal cues getting in the way, video conferencing is a great levelling feature.

When you’re on a video call, always speak louder than your usual speaking voice. Plus use your voice to express yourself through using pitch, high and low, vary it to keep your audience engaged. For extroverts, they are experts in changing tone and adding volume to grab attention and express themselves. Introverts will also master this skill in the knowledge that they are in the room with the meeting attendees and that no one is spending much time thinking about them!

Backgrounds

What is in the background when you’re on a video conference call? Take care to have a nondescript background, so your frame is not the meeting’s distraction! Ideally use a plain white wall for your background. If that’s not possible, make sure the shelves behind you have only the objects you don’t mind your work colleagues and customers viewing, i.e. do not place intimate or personal items on the shelves that will end up being the topic of discussion.

Visual Appearance

Even though you’re working remotely and most often from your home, avoid wearing your leisure apparel. Your appearance should be what your colleagues would expect to see if they were sitting next to or opposite you in a meeting room. Once again, the objective with your appearance is to avoid being the distraction.

Summary

Little did we know that three months into 2020 we are experiencing a new way of living and working, much of it within our own four walls, i.e. our homes. Thankfully we’re not entirely cut off with technology empowering us to continue business as usual including daily catch-ups, staff meetings and client appointments.

Continue Reading

Tech

Best Proxies for Pricing Intelligence

data

Everybody wants to be profitable in business. So how do you go about that when you’re in a competitive space? Well, if you have an idea what your competitors are offering, won’t it give you an edge when you offer better pricing?

When you gather data from a website, it is usually for a purpose. While you are at it, you could experience challenges if you’re not doing it the right way. Proxies give you headway as said before.

With proxies in full motion, you extract data endlessly – data, in this case, is pricing on a competitor’s website.

You make a lot of profit if your pricing structure is better – that gives you an edge.

What is a Proxy?

A proxy offers you some form of protection while you surf the internet. In a layman’s term, it is the “middleman” between you and the internet. For every request that goes through the proxy, your IP address is hidden; only that of the proxy is in the open when you connect to a website.

Proxies come in different types including SSL proxies, also known as HTTPS proxies.

  • Residential proxies
  • Datacenter proxies

Residential Proxies

These proxies are from Internet Service Providers (ISP) and assigned to homeowners with a real IP address – and represented by a physical location. One of their perks is their high level of anonymity.

What are Datacenter Proxies?

Datacenter proxies are popular, and many people are using them every day. When you think of a proxy, it is a data center that likely comes to mind. Moreover, you may not even know the specifics of how these proxies go about delivering their jobs; they do not come from the internet service provider.

There are other types of proxies – but this time, in terms of the number of users. They can be shared, semi-dedicated, or private proxies.

Shared Proxies

Many individuals usually share these proxies. The downsides are that they offer lower performance and speed.

Private Proxies

These are proxies meant for one individual. They perform better than shared proxies and offer higher speed.

Semi-dedicated Proxies

These proxies are neither shared nor dedicated – they’re in between the both of them. The number of users is usually between 2 or 3.

In today’s business environment, web scraping is gaining popularity. It is a way to get head in your competitive space by leveraging extracted data at your disposal.

Companies understand the importance of price intelligence – and they will go the extra mile to use it to their advantage.

To this end, price scraping has become more prevalent than ever. A strategic pricing model takes into account what your competitors are offering, and you can outdo them by offering something better.

What is Web Scraping and why Proxies for Price Intelligence?

Web scraping is the process of collecting data from a website for specific purposes – price intelligence, market research, and more. That is usually possible by using bots to gather the desired information

When you scrape e-commerce websites like Amazon, you will be restricted if you flood the server with so many requests from one single IP address within a short period.

To get around this snag – it is simple. Proxies will do the magic.

If you scrape the e-commerce with an array of IP addresses – with each request coming from a unique IP – then you’re on track. If you want to scrape for prices on a competitor website with severally proxies, your activity will be successful. You can then use the data for price intelligence.

Actionable Insight for a Competitive Edge

The original growth hack of web scraping is leveraged by the big and mighty like the Fortune 500 for what purpose? They want to be competitive on pricing and be in the know while measuring customer sentiment.

With access to information on your competitor, you can grow, and with an advantage in your niche field. Take, for instance, businesses use this data to predict future demand, adjust their strategies, and adhere to best practices in the industry.

In other words, web scraping provides your business with an effective pricing strategy, which is in response to real-time demand. You get actionable insight for your business, and it can help you shape your decisions going forward.

Best Proxies for Price intelligence

With your data acquisition team doing what they know best, you can retrieve public data. However, proxies become an essential tool for this process.

Essentially, it boils down to choosing the best there is. Two main types of proxies exist in the market – data center and residential proxies

They both have their benefits and downsides.

Residential proxies are real IPs, so it is difficult to associate them with any ban – they seem more like a better option out there. However, they have a low response rate.

On the other hand, the datacenter may incur the wrath of the website owner because they can be easily detected. However, their fast response rate makes up for this downside.

Choosing the right proxies for price intelligence cannot be stressed any further. You can stay ahead; all you need is to do the needful.

Continue Reading

Tech

Reasons Why 3D Rendering Services Are Gaining Popularity – and Why You Should Use Them

planning

It’s not hard to see how technology has impacted the world. Every facet of life, including various industries, has benefited in some way from technology. As 3D technology continues to improve, more people are using it for their business. Currently, the people who use 3D rendering services the most include architects.

By using this technology, architects have found that it can assist them in all phases of their work. Beginning in the design phase and going through to presentation and approval, 3D rendering services are making architects’ jobs easier and helping them to be more creative. Of course, this isn’t the only industry that can benefit from this service. Below are the reasons why this service is gaining popularity and why you should consider using it.

Improved Accuracy and Structuring

Regardless of your design, whether it is a building, home, or product, you have to start at the beginning, and this often involves creating blueprints. Traditionally, 2D services were used for this phase, and while they can help you design a product, they are incredibly limited. It’s also possible that people can make mistakes using this medium.

To be able to see how the final product will look and ensure there aren’t any mistakes, using 3D rendering services is advised. This technology can capture and display colors, details, dimensions, layouts, and so much more so that you can make changes before finalizing the project.

Using this service also gives you the ability to show clients exactly what you have in mind for their final product. They won’t have to strain their brains or use their imagination to envision the final product like they would with 2D blueprints. It will be before them in all its glory, and this is a good way to impress them and get them excited about the project.

 Valuation Accuracy

One of the most expensive steps in any project’s process is construction. It doesn’t matter if it’s an office building, a house, or a car part; it takes a lot of different materials and components to put the item together. As deciding the products for the final product also occurs during the design phase, it’s a good idea to have help from technology.

Since 3D rendering is so accurate and precise, it can help you create a more detailed list of components and how much of each will be needed for the production stage. It won’t be perfect, but it can reduce the number of surprises and give a better idea for the cost. This information can provide clients with more accurate figures for their budget, as well as make the development process go more smoothly and reduce issues.

Improved Communication

If you use 3D rendering services, you’ll be able to create an accurate representation of the final product in a digital environment. This way, you can ensure that both the client and you are on the same page, as well as let them see what it looks like before spending time and money to build it. Changes can be made in a real quick fashion, saving everyone’s time and money.

One of the best ways to make clients happy is to save them money, and using advanced technology to help them through all stages can help with that endeavor. Architects are currently using this technology the most, but it can be used in a wide variety of industries.

Continue Reading

Trending