Connect with us

Tech

PCI DSS 3.2 – Important 31 January 2018 Deadline & Clarifications

security

Overview

In April 2016, Version 3.2 of the Payment Card Industry Data Security Standard (PCI DSS) was released. This new version of the standard contains a number of new requirements which come into full force as of 1 February 2018. This document provides an overview of what is new in Version 3.2, separated by:

  • Clarification of requirements that came into force for all Version 3.2 reports.
  • New requirements that come into force for all parties (merchants and service providers) as of 1 February 2018.
  • New requirements that come into force for service providers only as of 1 February 2018.
  • Sunset date for SSL and Early TLS.

This document summarises what Confide has seen from assessments undertaken since Version 3.2 was released and the information that has been provided by the PCI Security Standards Council.

Clarification (Applicable for all 3.2 reports)

1.1.6.a: Identify the firewall and router configuration standards document(s) reviewed to verify the document(s) contain a list of all services protocols, and ports necessary, including a business justification and approval for each.

These approvals should be granted by someone other than a person who is responsible for managing the configuration. For example, this might include a Security Officer or other role who is responsible for overseeing the PCI DSS process internally, or by someone outside of the standard team of people who are responsible for performing the day to day management of network devices.

6.5: Address common coding vulnerabilities in software-development processes as follows:

  • Train developers at least annually in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities.
  • Develop applications based on secure coding guidelines.

The requirement for developer training is not new. However, in Version 3.2, it was clarified that this training must take place for all developers at least annually. We also recommend that testers attend this training as well to ensure that they are adequately equipped to test for basic security vulnerabilities.

11.3.4.c: Verify that the [segmentation penetration test] was performed by a qualified internal resource or qualified external third party, and if applicable, the organisational independence of the tester exists (not required to be a QSA or ASV).

The requirement for segmentation testing is not new. However, in Version 3.2, a clarification was made that brings the requirement for how segmentation penetration testing into line with the requirements for internal and external penetration testing. The person performing the segmentation testing must be either a qualified internal resource or external third party, and there must be sufficient organisational independence (e.g. the penetration testing should not be done by individuals who are responsible for the day to day management of the systems or who report directly to staff who are responsible for these teams).

12.3.3: Verify that the usage policies define:

  • A list of all critical devices, and
  • A list of personnel authorised to use the devices

The wording of this requirement has been adjusted to ensure that it is clear that the usage policies must include both a list of the critical devices in the environment and a list of the personnel authorised to use the devices. This needs to be documented and cannot be considered “self-documenting” as part of a system such as Active Directory or LDAP.

Additional Requirements for All Parties (as of 1 February 2018)

There are several new requirements that come into force for both merchants and service providers.

6.4.6: Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable.

To ensure that this requirement is met, Confide recommends that a clear definition of what constitutes a “significant change” be defined within the processes so that it is possible for staff to identify when this level of review is required. While the PCI Council does not provide a definitive definition of what constitutes a significant change, guidance from Requirement 11.2 suggests this includes (but is not limited to):

  • New system component installations
  • Changes in network topology
  • Firewall rule modifications
  • Product upgrades
  • Operating system upgrades
  • Sub-networks being added to the environment
  • New web servers

Once significant changes have been defined, we recommend developing a set of templates for reviewing the relevant PCI DSS requirements to ensure that both (1) the relevant requirements have been put in place prior to the system going live, and (2) sufficient testing has been done to meet the requirements for PCI DSS (e.g. penetration testing, vulnerability scanning, etc.) Incorporating this into the change control process is one option.

8.3.1: Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.

The PCI Security Standards Council recently published a guidance document on what constitutes multi-factor authentication (see: https://www.pcisecuritystandards.org/pdfs/Multi-Factor-Authentication-Guidance-v1.pdf.

In this document they provide a number of examples of what does and does not constitute multi-factor authentication and where multi-factor can be placed in the environment. We also recommend reviewing the PCI Security Standards Council’s guidance on Segmentation and Scoping (see:

https://www.pcisecuritystandards.org/documents/Guidance-PCI-DSS-Scoping-and-Segmentation_v1.pdf as the way that multi-factor is implemented may be influenced by how you have decided to segment the environment.

Additional Service Provider Requirements (as of 1 February 2018)

These new requirements are currently only applicable to service providers. As defined by the PCI DSS, a service provider is any business that is directly involved in the processing, storage, or transmission of cardholder data on behalf of another organisation, or that otherwise impacts the security of cardholder data.

3.5.1: Maintain a documented description of the cryptographic architecture that includes:

  • Details of all algorithms, protocols, and keys used for the protection of cardholder data, including key strength and expiry date
  • Description of the key usage for each key
  • Inventory of any HSMs and other SCDs used for key management

While policies and procedures for key management and the management of encryption devices has long been required, this requirement set out a new level of detail that must be documented around how cardholder data is protected. In part, this also helps the organisation to keep up with evolving threats to the architecture, and to be able to detect lost or missing keys or associated devices.

10.8: Implement a process for the timely detection and reporting of failures of critical security control systems, including but not limited to failure of:

  • Firewalls
  • IDS/IPS
  • FIM
  • Anti-virus
  • Physical access controls
  • Logical access controls
  • Audit logging mechanisms
  • Segmentation controls (if used)

This requirement is aimed at addressing the increased threat of intrusions going undetected for an extended amount of time. In order to ensure that there is a timely process for detecting failures in place, this requires a proactive process to be in place. There is not yet any clear guidance on what constitutes a timely manner. However, automated tools are likely to make this task significantly easier.

10.8.1: Respond to failures of any critical security controls in a timely manner. Processes for responding to failures in security controls must include:

  • Restoring security functions
  • Identifying and documenting the duration (date and time start to end) of the security failure
  • Identifying and documenting cause(s) of failure, including root cause, and documenting remediation required to address root cause
  • Identifying and addressing any security issues that arose during the failure
  • Performing a risk assessment to determine whether further actions are required as a result of the security failure
  • Implementing controls to prevent cause of failure from reoccurring
  • Resuming monitoring of security controls.

While this requirement relates directly to the incidents identified in Requirement 10.8, this requirement relates to the incident management procedures and extends the procedures in the event that a critical security control fails. Due to the newness of this requirement and the extensive reporting requirements that go along with it, we recommend that this process is tested as part of the process development to ensure that the processes can be embedded within the incident processes for the organisation.

11.3.4.1: If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.

While this is a new requirement, it extends the exiting requirement for organisations that use segmentation to test the effectiveness of that segmentation. This new requirement increases the frequency with which service providers must perform this testing. While there is no requirement for the testing to be done by an external, third party, any internal party must be both (1) able to demonstrate that they are appropriately qualified to perform the testing, and (2) that they are organisationally independent.

12.4.1: Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program to include:

  • Overall accountability for maintaining PCI DSS compliance
  • Defining a charter for a PCI DSS compliance program and communication to executive management.

The remaining new requirements are focused on the overarching governance processes to help ensure that PCI DSS is not treated as a point-in-time event, but instead is integrated into the BAU processes. As part of that, there needs to be a commitment at the senior level to ensure that PCI DSS is visible at the executive level.

12.11: Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. Reviews must cover the following processes:

  • Daily log reviews
  • Firewall rule-set reviews
  • Applying configuration standards to new systems
  • Responding to security alerts
  • Change management processes

This requirement and Requirement 12.11.1 help to ensure that processes are regularly reviewed to ensure that they are being followed. While this requirement is not meant to repeat the testing from the PCI DSS requirements, understanding the underlying intention of each of these requirements should guide how the review process is carried out. This also helps to ensure that failures in processes can be identified early, so as to minimise the risk to PCI DSS compliance.

12.11.1: Maintain documentation of quarterly review processes to include:

  • Documenting results of the reviews
  • Review and sign off of results by personnel assigned responsibility for the PCI DSS compliance program.

This requirement ties together the review documentation from Requirement 12.11 and the governance processes from Requirement 12.4, and helps to ensure that there is a clear visibility into how processes that affect PCI DSS compliance are visible to senior management.

TLS Requirements (1 July 2018)

After 30 June 2016, all entities must have stopped use of SSL/early TLS as a security control, and only use secure versions of the protocol.

Prior to 30 June 2018, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place.

Appendix 2 covers the requirements for SSL / Early TLS.

Given the impending deadline for disabling SSL and Early TLS, we recommend that reviewing the current need for these protocols is done on a more frequent basis to determine if it is possible to disable them prior to the deadline.

Confide is New Zealand’s Premier Security Assessment Company for the Payment Card Industry.

BusinessArticles is the popular online Hub for quality business articles. We publish unique articles and share them with our social followers.

Continue Reading

IT Security

Take These Steps And Protect Your Business From A Cybercrime

cyber crime

You might have read the news story surrounding the events that happened at Mal A Largo. The prestigious club favoured by the president was recently breached by a woman who claimed she was a member. She wasn’t. When she was inside, she suggested she was there for a conference.

There was no conference taking place and the woman entered the club with multiple pieces of tech. One of which contained malware data. The president was in the club at the time and it is not currently known what the woman’s intentions were. It is however clear, that she almost succeeded.

This shouldn’t come as a massive shock. After all, recent reports have suggested that by 2021 there will be a cyber attack on a business every twenty seconds. That’s crazy and it won’t just be big businesses that are exposed either.

Indeed, experts suggest that smaller companies will be targeted because criminals won’t expect them to have the latest protection measures in place.

This leaves an important question: Is your business secure and prepared for the threat of a cyber attack?

Truthfully, the answer is probably no. But you can take steps and make changes to ensure that your business is protected.

Let’s look at some of the ways you can do this, plus here’s a quick recap on what you need to know about cyber crime and malware.

What is Malware?

You don’t need to know the history of malware but it’s kind of interesting so here’s a short summary.  Its beginnings are thought to be in 1949, with  computer scientist John von Neumann, however the first documented viruses were in the 1970s.

There was the creeper worm by Bob Thomas and in the eighties the man credited as the father of viruses, Fred Cohen really developed the computer virus as we know it today.

Not all viruses are bad, though malware is and it’s thought that a third of all computers world-wide have been infected at some time.

Hard-hitting viruses

There have been some very hard hitting computer viruses over the years including:

  • 2013 – Cyptolocker. This is one of the early ramsonware programs. Ramsonware in itself is interesting insofar as it denies the user access to their computer with threats to publish the users’ data unless a ransom is paid.
  • 2014 – Backoff. Known for hitting the Point of Sale (POS) machines to steal credit card data.
  • 2016 – Cerber. One of the most infective viruses according to Microsoft.
  • 2017 – WannaCry Ransomware. Appropriately named as many companies attacked by it did ‘want to cry’.

Source – a brief history of malware

What is Cybercrime?

Simply put, cybercrime is the term given to describe any criminal activity online, i.e. uses the Internet. It’s far-reaching, insofar as it includes everything from ramsonware and other viruses, to hacking, phishing and spamming.

So, what can you do to make sure your business is protected?

Installed And Up To Date

It’s important to make sure that you are installing anti-virus software. Once it is installed, make sure that you are updating it regularly. Many people think that once you have installed anti-virus software on your tech, your issues are over. This just isn’t the case. Indeed, it’s instead possible and even likely that you fall behind on updates and suddenly there’s basically no protection for your business.

This is usually because people are relying on free antivirus software. Free software is better than nothing, but it’s definitely not the ideal solution. If you want the highest level of protection, then you need to invest in the best software on the market. This isn’t free but it does provide fantastic value for your company.

Choose Strong Passwords

Passwords are incredibly dangerous if they are easy to guess or if they include information that people could quickly access. As such, there should be no personal information used to create your passwords. It should be a random string of numbers and letters. These are almost impossible to guess or hack and as such will keep your sensitive data secure.

The Latest Tech

Do make sure that you are investing in the latest technology and equipment. The latest tech will usually have preventive measures in place to ensure that software is protected. Particularly if they are running the latest programs and systems.

You should be careful of methods for saving money as well such as BYOD initiatives. While this can cut costs down, you can’t guarantee that the devices that employees are as secure as they need to be. Investing in the latest technology yourself will always be the best option.

We hope this helps you understand how to secure your business from a potential cybercrime.

Continue Reading

Innovation

How Is AI Being Used In Business?

robot

Artificial Intelligence is bandied around the office, and there’s plenty of information on it online, but is your business using it and if not yet, where could it be using it, some time soon?

Machine Learning, Biometrics, and Robotic Process Automation are in use right now and growing in popularity, not just with the big businesses but also startups, SMEs and everything in between.

Adext’s report includes 19 AI Technologies to look for in 2019 and it’s well worth a read. In this article, we consider three types that mainstream business can no longer live without.

Listed in no particular order, you may of heard of these AL technologies, but you’re not aware of what they do, or how businesses use them.

Where Business Is Using AI

Digital marketing & advertising, research and administration, are key areas of business that are seeing massive change with AI, and specifically these AI techs: RPA, Biometrics and ML.

Machine Learning

A branch of AI, this tech has been around for a while.

Machine Learning (ML) develops techniques so computers can automatically learn and improve from the experience. It’s used right now to predict and classify data, hence it’s been a game changer for advertising platforms like Google Ads.

Analysis of huge quantities of data, in quick smart time, all the while delivering accuracy has relieved many of us from jobs that involving mundane repetitive tasks.

ML gets its data from APIs, algorithms of course, other machines as well as big data tools; to name a few sources; but not all machine learning algorithms are the same.

Machine learning algorithms:

  • Supervised – can apply what’s been learned to new data
  • Unsupervised – explores data and describes hidden structures within datasets
  • Semi-supervised – somewhere between the two mentioned above
  • Reinforcement – allows software and machines to pick the optimum response within specific context to improve performance.

More detail found here: ML algorithms definitions

There are many platforms available now and you’ll know many of the companies in this space: Google, Amazon, Microsoft, and a few you may not know that well including: Adext, and Skytree.

Biometrics

This AL tech is focused on improving communication and understanding, between us and machines. It’s uses measurements and analyses human behaviour. Interactions, such as touch, speech, images and even body language are in its sights.

Just like ML, this is a big field of AI with huge potential, particularly in area of market research.

Robotic Process Automation

Think AI workers, that’s this technology. Robotic process automation (RPA) is another area of AI that’s a game changer for employment, and many of the jobs we used to do, still do and will no longer do. Already RPA has found its way into many industries and AI workers (machines) have replaced humans in the workforce.

The prosaic and repetitive tasks, humans used to do, are now done in part or in full by machines. In areas of the business such as: accounting, administration, customer support and help desks but also on websites, AI has found its place.

Chat Bot

The ‘chat bot’ is now ubiquitous on websites for products and services and online sales support. Here is a good read on how using a chatbot could benefit business and change the customer experience.

Live Chat is a more human form of the chat bot and when you’ve experienced it, as a customer, your level of appreciation goes up a notch or two.

There is a flip side for businesses using live chat and chat bot tech. Customers now used to it will expect your business to delivery immediacy and efficiency every time.

With RPA, businesses see lots of upside, with reduced overheads and improve productivity.

There has been some clever marketing for it, mainly to dissuade negative reaction from workers fearful of job displacement. Business and workers are encouraged to see it as a solution that promotes better use of human workers; though new roles that are infinitely more interesting, and fulfilling, while also doing wonders to the company’s bottom line.

Summary

AI is everywhere and depending on how you view your business, career and life; the future is either very exciting, or maybe a bit scary.

Continue Reading

Tech

How tech is transforming three traditional industry sectors

businessman

When it comes to tech transformation, you only need to look at what the smart investors are funding to see that it’s not just the dynamic, emerging sectors such as fintech that are benefiting. Investors such as Tom Chapman, co-founder of MatchesFashion; Sanjeev Krishnan of S2G Ventures, and Donald Lucas of Lucas Venture Group are focusing on the traditional industries too.

While we’ve all been watching the dynamic, and often consumer-facing, end of the tech market, activity is growing at a rapid pace in some of our most traditional sectors. Here are just three that are coming up on the rails by using tech to power the next generation of companies.

1. Logistics and shipping

Established industries don’t come much more traditional than shipping or as profitable as freight forwarding, a sector worth some $2 trillion at the last count. Freight forwarding companies ensure the smooth movement of goods around the globe but, up until recently, the industry has not seen anything like the kind of tech transformation you would witness elsewhere.

This year that’s set to change. A number of new tech businesses have sprung up to service the sector, dragging it into the 21st Century. Possibly the most high-profile is San Francisco-based startup Flexport, which in February received another $1bn in investment taking its valuation to a whopping $3.2bn. Started just five years ago, it now employs more than 1,000 people from 11 offices worldwide and is building warehousing facilities at many major ports. Flexport has seen such stratospheric growth because it understands the industry’s biggest problems and has got the tech right.

For the first time, Flexport has created a holistic cloud-based software platform that connects all the parties together in one place: importers, exporters, shipping carriers, truckers, airlines, plus the customs agencies and ports, allowing real-time interaction and document transfer. This might not seem so groundbreaking but in freight forwarding, where to date mountains of paper documents have been the norm, it really is.

2. Agriculture and food

Farming is another sector that’s slowly being transformed by tech innovations. For the last few years we’ve seen a big growth in agtech, fueled by a rapid rise in investment on the back of concerns about food security and environmental regulation. In fact, last year agtech deal activity hiked 11 per cent year-on-year worldwide; according to agtech funder Sanjeev Krishnan: “We have never seen the tectonic plates shifting as much as they are now, from the farm gate to the fridge.”

If there is one company that encapsulates the ethos and innovation of the new agtech revolution it’s Farmwise. Based out of San Francisco, Farmwise aims to solve some core issues in farming: the elimination of weeds and the need to optimise the amount of crops grown on a farmer’s land and the need to reduce the use of harmful pesticides.

Founded in 2016, Farmwise is just about to launch its first generation automated weeding system. The vehicle provides information about the crops in real time, giving farmers a more accurate early warning system and pointing to areas that need their attention. But more than this, using a combination of AI and robotics, the onboard tech captures images of each plant, analyses the data and identifies whether it’s friend or foe. Then it removes the weeds, even around individual crops. In time it’s hoped that this tech will drastically reduce the need to spray chemicals on the land and increase the productivity of each individual field.

3. Construction and housebuilding

Regarded by many as the last tech-free bastion, the building industry is highly traditional and up until recently was resistive to change. But over the last couple of years we’ve seen a growing number of startups coming on stream determined to transform this determinedly old-school sector.

One company focused on the building industry that has hit the headlines is Katerra, a startup focused on increasing collaboration, productivity and speeding up the construction process using tech. Driving them forward is the challenge we all face: creating more and cheaper housing as global populations boom. It’s a company with big ideas and big ambitions that has attracted high-profile investors.

Katerra is set to transform the sector because they are creating a one-stop building shop. They handle everything: architecture and design, specification, construction and fit-out, all powered by a heavy use of the latest tech including AI, robotics, apps and customer software interfaces. If there was ever a company that demonstrated the future for traditional industries, its Katerra. As Katerra Chairman and co-founder Michael Marks says: “Progress won’t come with incremental measures, we are pursuing transformational change on a massive scale.”

Today, tech is driving every industry sector, transforming everything, including where we live, how we’ll ship goods and what we will eat. The next five years will see traditional industries play catch up and you can bet the results for us all will be startling.

Continue Reading

Trending