Connect with us

Tech

PCI DSS 3.2 – Important 31 January 2018 Deadline & Clarifications

code

Overview

In April 2016, Version 3.2 of the Payment Card Industry Data Security Standard (PCI DSS) was released. This new version of the standard contains a number of new requirements which come into full force as of 1 February 2018. This document provides an overview of what is new in Version 3.2, separated by:

  • Clarification of requirements that came into force for all Version 3.2 reports.
  • New requirements that come into force for all parties (merchants and service providers) as of 1 February 2018.
  • New requirements that come into force for service providers only as of 1 February 2018.
  • Sunset date for SSL and Early TLS.

This document summarises what Confide has seen from assessments undertaken since Version 3.2 was released and the information that has been provided by the PCI Security Standards Council.

Clarification (Applicable for all 3.2 reports)

1.1.6.a: Identify the firewall and router configuration standards document(s) reviewed to verify the document(s) contain a list of all services protocols, and ports necessary, including a business justification and approval for each.

These approvals should be granted by someone other than a person who is responsible for managing the configuration. For example, this might include a Security Officer or other role who is responsible for overseeing the PCI DSS process internally, or by someone outside of the standard team of people who are responsible for performing the day to day management of network devices.

6.5: Address common coding vulnerabilities in software-development processes as follows:

  • Train developers at least annually in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities.
  • Develop applications based on secure coding guidelines.

The requirement for developer training is not new. However, in Version 3.2, it was clarified that this training must take place for all developers at least annually. We also recommend that testers attend this training as well to ensure that they are adequately equipped to test for basic security vulnerabilities.

11.3.4.c: Verify that the [segmentation penetration test] was performed by a qualified internal resource or qualified external third party, and if applicable, the organisational independence of the tester exists (not required to be a QSA or ASV).

The requirement for segmentation testing is not new. However, in Version 3.2, a clarification was made that brings the requirement for how segmentation penetration testing into line with the requirements for internal and external penetration testing. The person performing the segmentation testing must be either a qualified internal resource or external third party, and there must be sufficient organisational independence (e.g. the penetration testing should not be done by individuals who are responsible for the day to day management of the systems or who report directly to staff who are responsible for these teams).

12.3.3: Verify that the usage policies define:

  • A list of all critical devices, and
  • A list of personnel authorised to use the devices

The wording of this requirement has been adjusted to ensure that it is clear that the usage policies must include both a list of the critical devices in the environment and a list of the personnel authorised to use the devices. This needs to be documented and cannot be considered “self-documenting” as part of a system such as Active Directory or LDAP.

Additional Requirements for All Parties (as of 1 February 2018)

There are several new requirements that come into force for both merchants and service providers.

6.4.6: Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable.

To ensure that this requirement is met, Confide recommends that a clear definition of what constitutes a “significant change” be defined within the processes so that it is possible for staff to identify when this level of review is required. While the PCI Council does not provide a definitive definition of what constitutes a significant change, guidance from Requirement 11.2 suggests this includes (but is not limited to):

  • New system component installations
  • Changes in network topology
  • Firewall rule modifications
  • Product upgrades
  • Operating system upgrades
  • Sub-networks being added to the environment
  • New web servers

Once significant changes have been defined, we recommend developing a set of templates for reviewing the relevant PCI DSS requirements to ensure that both (1) the relevant requirements have been put in place prior to the system going live, and (2) sufficient testing has been done to meet the requirements for PCI DSS (e.g. penetration testing, vulnerability scanning, etc.) Incorporating this into the change control process is one option.

8.3.1: Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.

The PCI Security Standards Council recently published a guidance document on what constitutes multi-factor authentication (see: https://www.pcisecuritystandards.org/pdfs/Multi-Factor-Authentication-Guidance-v1.pdf.

In this document they provide a number of examples of what does and does not constitute multi-factor authentication and where multi-factor can be placed in the environment. We also recommend reviewing the PCI Security Standards Council’s guidance on Segmentation and Scoping (see:

https://www.pcisecuritystandards.org/documents/Guidance-PCI-DSS-Scoping-and-Segmentation_v1.pdf as the way that multi-factor is implemented may be influenced by how you have decided to segment the environment.

Additional Service Provider Requirements (as of 1 February 2018)

These new requirements are currently only applicable to service providers. As defined by the PCI DSS, a service provider is any business that is directly involved in the processing, storage, or transmission of cardholder data on behalf of another organisation, or that otherwise impacts the security of cardholder data.

3.5.1: Maintain a documented description of the cryptographic architecture that includes:

  • Details of all algorithms, protocols, and keys used for the protection of cardholder data, including key strength and expiry date
  • Description of the key usage for each key
  • Inventory of any HSMs and other SCDs used for key management

While policies and procedures for key management and the management of encryption devices has long been required, this requirement set out a new level of detail that must be documented around how cardholder data is protected. In part, this also helps the organisation to keep up with evolving threats to the architecture, and to be able to detect lost or missing keys or associated devices.

10.8: Implement a process for the timely detection and reporting of failures of critical security control systems, including but not limited to failure of:

  • Firewalls
  • IDS/IPS
  • FIM
  • Anti-virus
  • Physical access controls
  • Logical access controls
  • Audit logging mechanisms
  • Segmentation controls (if used)

This requirement is aimed at addressing the increased threat of intrusions going undetected for an extended amount of time. In order to ensure that there is a timely process for detecting failures in place, this requires a proactive process to be in place. There is not yet any clear guidance on what constitutes a timely manner. However, automated tools are likely to make this task significantly easier.

10.8.1: Respond to failures of any critical security controls in a timely manner. Processes for responding to failures in security controls must include:

  • Restoring security functions
  • Identifying and documenting the duration (date and time start to end) of the security failure
  • Identifying and documenting cause(s) of failure, including root cause, and documenting remediation required to address root cause
  • Identifying and addressing any security issues that arose during the failure
  • Performing a risk assessment to determine whether further actions are required as a result of the security failure
  • Implementing controls to prevent cause of failure from reoccurring
  • Resuming monitoring of security controls.

While this requirement relates directly to the incidents identified in Requirement 10.8, this requirement relates to the incident management procedures and extends the procedures in the event that a critical security control fails. Due to the newness of this requirement and the extensive reporting requirements that go along with it, we recommend that this process is tested as part of the process development to ensure that the processes can be embedded within the incident processes for the organisation.

11.3.4.1: If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.

While this is a new requirement, it extends the exiting requirement for organisations that use segmentation to test the effectiveness of that segmentation. This new requirement increases the frequency with which service providers must perform this testing. While there is no requirement for the testing to be done by an external, third party, any internal party must be both (1) able to demonstrate that they are appropriately qualified to perform the testing, and (2) that they are organisationally independent.

12.4.1: Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program to include:

  • Overall accountability for maintaining PCI DSS compliance
  • Defining a charter for a PCI DSS compliance program and communication to executive management.

The remaining new requirements are focused on the overarching governance processes to help ensure that PCI DSS is not treated as a point-in-time event, but instead is integrated into the BAU processes. As part of that, there needs to be a commitment at the senior level to ensure that PCI DSS is visible at the executive level.

12.11: Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. Reviews must cover the following processes:

  • Daily log reviews
  • Firewall rule-set reviews
  • Applying configuration standards to new systems
  • Responding to security alerts
  • Change management processes

This requirement and Requirement 12.11.1 help to ensure that processes are regularly reviewed to ensure that they are being followed. While this requirement is not meant to repeat the testing from the PCI DSS requirements, understanding the underlying intention of each of these requirements should guide how the review process is carried out. This also helps to ensure that failures in processes can be identified early, so as to minimise the risk to PCI DSS compliance.

12.11.1: Maintain documentation of quarterly review processes to include:

  • Documenting results of the reviews
  • Review and sign off of results by personnel assigned responsibility for the PCI DSS compliance program.

This requirement ties together the review documentation from Requirement 12.11 and the governance processes from Requirement 12.4, and helps to ensure that there is a clear visibility into how processes that affect PCI DSS compliance are visible to senior management.

TLS Requirements (1 July 2018)

After 30 June 2016, all entities must have stopped use of SSL/early TLS as a security control, and only use secure versions of the protocol.

Prior to 30 June 2018, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place.

Appendix 2 covers the requirements for SSL / Early TLS.

Given the impending deadline for disabling SSL and Early TLS, we recommend that reviewing the current need for these protocols is done on a more frequent basis to determine if it is possible to disable them prior to the deadline.

Confide is New Zealand’s Premier Security Assessment Company for the Payment Card Industry.

BusinessArticles is the popular online Hub for quality business articles. We publish unique articles and share them with our social followers.

Continue Reading

Tech

3 Common IT Challenges Small Businesses Face

security

Technology is the enabler for most businesses today, and SMEs rely on IT apps and systems in most departments, from finance to sales. There are a few common challenges with technology, and in this post, we review what they are and how to turn them into strengths for your business.

Top Most Common Tech Challenges

Thankfully there are a lot of sources online to assist with the accuracy of our content. Starting with TechCrunch. They rank IT security as the top challenge.

IT Security

The pandemic did not pause cybercrime, and reports say cyberattacks increased with malware, phishing, and ransomware being the most common cyber threats to businesses. Remote working has added to the stress.

Companies need to ensure devices and apps used to share data and access business systems are secure. Staff at home are less accessible. The need for ongoing knowledge transfer and user training requires planning and resources, which is an added cost SMEs would prefer to do without.

Malware Attacks

Out of all types of data attacks, malware is among the most common. Malware attacks are simple and happen when a piece of malicious software is installed on someone’s computer or a network. The malware will then perform specific actions as desired.

Some malware is there to disrupt. Other malware can do things such as catching admin credentials for financial information, for instance. These can be very serious and put your whole organization at a standstill, so they cannot take them lightly.

Another thing you should know is that malware attacks are rarely made without the cooperation of a human in your organization. And, in most cases, they weren’t even in on it.

Attackers will often use social engineering techniques to pose as someone in authority. The receiver will have no idea as everything will be made to look like it’s coming from that person.

But this isn’t the only case where humans can become a liability. As a matter of fact, humans are the single biggest IT vulnerability.

You may have a remote or hybrid workplace, and one of your employees loses a device that could be found and accessed by a hacker. From the device, your whole network at risk.

It’s in the Cloud

Getting your head around cloud computing and how to adopt it company-wide is challenging. Vendor agreements are different, and the model is user pays, which is a far cry from buying a server and having it in your office.

Lack of In-House Skill

This is one of the biggest challenges for any business. Finding people who have IT skills and the type of skill you need can be complicated. Someone may understand certain things, but if you have an issue that needs a particular set of expertise, you might find your business stuck and hitting a dead end.

This is why many businesses decide to outsource their IT department. This way, they have a team at their disposal that can deal with everything that they need. They can also do things such as maintaining your licenses to make sure that they’re in order and that your patches are all up to date. Or they might be able to help you recover your systems quickly if there’s an unexpected error or breach.

Emerging Tech

Getting to grips with AI, robotics, Natural Language Processing, and matching learning is challenging to most businesses. When do you adopt systems that may replace your staff? There’s no escaping change and technology evolution. Some apps already use AI, and automation is used in many mundane tasks within the business.

Chatbots use AI and machine learning are the norm on many websites that offer services and online purchases, i.e. eCommerce stores. 64% of users say the 24-hour service is the best feature of the chatbot. As a consumer, you rely on instantaneous response, especially when you’re in the midst of an online purchase.

Summing Up

These are just some of the most common IT issues small businesses have to deal with every day. If you are one, make sure that you protect yourself against these risks and consider hiring an expert team for assistance.

Continue Reading

Marketing

4 Ways Tree Testing Can Benefit Your Business

marketing

Designing a successful digital product is tricky and challenging. In the crowded space of the WWW, your product may not end up in search results, and this is why findability precedes usability in designing for the web. If your product can’t reach your audience, it has failed already.

Therefore the big question here is how do you ensure that your product is easily found and accessible by your target audience?

The answer to your question lies in information architecture. Design a superior user experience (UX) using a tree test.

Top 4 Reasons Why Your Business Needs Tree Testing

Still unsure of what a tree test can do to your design venture?

Let’s take a look into the true capabilities of a tree test.

Primarily, you would be running a tree test because of any one of the following reasons.

  • baselining an existing tree
  • detecting the problem area and points thereby establish a base score
  • experimenting test trees trying to solve existing information architecture problems
  • comparing each version against each other to find the best possible solution to the existing problems

However, a tree test also does a lot more for your product. Following are a few primary areas where a tree test can be beneficial.

Why It Pays To Use A Tree Test

1. Evaluate product navigation

A tree test can improve your digital product’s online findability. With the test tree, you can evaluate your product’s existing information navigation system. How? Well, users complete a series of tasks looking for items using the site structure. Using this method to evaluate your site structure, you have a way to measure how easy it is for users to find things.

Treejack is one of the most popular tools used for tree-tests.

2. Time-efficient

With a remote tree test, the users can be located anywhere, and they can take the test in their own time. You benefit from getting quality, quantitative data.

3. Cost-efficient

By using online test conduction, results accumulate from global users. Thus, it reduces the costs of on-premise tests.

4. Agile

The biggest asset of tree testing is that it is designed for experiments. The test sessions are concise, each test of around 15 – 20 minutes, having a maximum of 20 tasks per session.

This improves the success rate of completing the test by users significantly. These tests, like card sorting, are pretty much simple with low complexity that readily helps with the dropout rates.

Combined with remote access to the test, all this makes data collection fast and the data analysis process lean. This means whatever insights you derive from your test analytics, you can apply them in no time.

How To Optimize Your Tree Tests

Ensuring you get the maximum benefits out of your tests is one of the most important yet neglected design tests areas. But if you can make sure to ask the critical questions without fail, your tests will not fail you.

Following are a set of core questions that can ensure you make the most of tree testing.

1. What is the objective of your tests?

This is perhaps the anchor point of your complete questionnaire. This answer is going to help you achieve the hyper-targeted activities for your test. For instance, you may want to analyze the results of your design changes in the navigation structure.

2. Who is your target audience?

Answering this question right in the beginning can save you a lot of pain in the long term. A good practice here is to take some time out and think deeply about your product visitors.

If your answer is: “everyone”, then you are doing it wrong. Remember, if everyone is your audience, then no one is your audience.

3. Define the independent variables

Deciding on the independent factors that are dynamic can produce multiple end-results.

Use factorial experimental designs. This method enables you to examine each variable in isolation.

4. Define the dependent variable.

Dependent variables can also bring a lot of improvements to your overall user experience. To assess its impact, you have to observe its effect on its respective independent factor instead of the end-user interface result. For instance, you can examine the precision of an area locator for completing preset tasks.

5. What do you use while comparing trees, a control group or a treatment group?

Control Group acts as a benchmark. It is not vulnerable to changes. Here, comparing the altered results to the original group is possible. You can assess the degree of difference between the results of both groups.

6. While comparing testing trees, do you use a between-subject design or a within-subject design?

It’s important to decide whether you want the same group of test-takers to participate in all the versions of your test tree or anyone.

Whether you choose both strategies or not, both have their own merits. Therefore, it would be best if you decide based on your test goals. For instance, choosing a between-subject approach can reduce the test taker fatigue, and the learning effect could even prove to be time-efficient.

Parting Advice

The whole point of executing a tree testing activity is to ensure you stay updated about your target audience’s behavioral nodes. This means conducting frequent tree tests can boost the overall information architecture health of your digital product.

The above tips and tricks are definite to help you optimize all your tree testing campaigns, but the heaviest success metric still lies in your hands.

Ensuring you understand your target audience will make sure that your design assumptions walk the closest to reality.

Continue Reading

Management

Does Your Business Need Knowledge Management Software?

company

Regardless of the business size or the type of organization run, there will always be a need for creating, storing and sharing information. Knowledge management is a set of processes that can help create and distribute said knowledge to utilize its potential to the fullest.

So the question we will answer in this article is: does your business need knowledge management software?

Importance Of Growing Your Business

It would help if you always were looking at ways in which you can grow your business. It can help you to cultivate a strong company culture as a result. The better informed your staff are, the more successful their work becomes.

Knowledge is valuable for everyone, yet one of the biggest challenges that businesses face is communication. Growing your business is made difficult when there isn’t effective communication within the company. There’s often a lot of down-time that results in fix errors in communication or clarifying issues that could have easily prevented.

How Does Knowledge Management Work?

It’s firstly important to know how knowledge management works. It’s something that varies from business to business. So what your knowledge management entails might not be the same for another company.

The information you have as a business needs to be organized, and that’s where knowledge management comes in. This system will likely have various tools that you can choose from to help with the customization of your knowledge database.

You want to make your knowledge more accessible ultimately, and with these management systems, you’re able to do precisely that.

A knowledge management system will consist of an internal process that helps capture company knowledge. The information is reviewed, and then technology in the form of software helps support all this. You may already have somewhat of a knowledge management system in place.

For example, if you use cloud storage or a shared drive to save documents instead of saving them on your desktops, then this is knowledge management in action. There is some excellent internal knowledge base software worth learning more about before deciding which one is for you.

The Benefits Of Knowledge Management Software

With knowledge management software, the process of setting it all up is something that will take time. However, the benefits of having a system in place can make it all worthwhile.

As your organization matures, it’s essential to have this knowledge management to support and enhance your daily operations. One of the significant benefits is that it can help gather the power from your company to grow the business.

You can give your employees more knowledge sharing structures that can help them do their job more efficiently. There’s quicker problem-solving and faster decision making that comes with having this system in place.

It can help make your employee’s work more exciting and engaging, which is ultimately what you want to better yourself from the competition. With more knowledgeable and productive employees, it makes for improved work processes in general.

To continue innovating your business and supporting employee growth, having this knowledge management software will be more beneficial to have in place than not have it at all.

Implementation

What are the steps to implement knowledge management software into business?

If you’re implementing knowledge management software for the first time, it’s essential to know the steps in which to do so effectively.

Identify Problems

Firstly, you want to consider the problems you have and to define them in more detail.

Brainstorming

At this point, you’ll then focus on the part of your organization that can help brainstorm these problems to create solutions. It might be those interested in such a project, or you feel you are capable of doing so.

When you’ve gathered these individuals together, you then have your initial network. You’ll then want to actively involve everyone else, perhaps giving this initiative its own name so that it gets people interested.

Ideas

Capturing ideas is an essential part of the process, and this might involve suggestion boxes or providing a simple Google Form questionnaire for people to fill in and give feedback.

Implement solutions

Implement these and be sure to reward those who contributed to changing those problems into solutions. It’s then time to share that knowledge and ensure that every employee knows what’s available and how to access it.

customers

Sharing The Knowledge With Your Customers

It could also be something that you make available to your customers if you feel it’s relevant.

There are times when you have potential leads come onto your site and perhaps have questions stopping them from making a purchase or moving down the sales funnel.

Your customer service agents will likely have those common questions asked to them multiple times per day. If that’s the case, then offering this knowledge base to your customers will reduce the number of queries being directed at the agent.

It means your agent can prioritize more complex queries, and those potential customers can navigate further down the sales funnel, hopefully, to make a sale.

Summary

Your business can undoubtedly benefit from knowledge management software, especially when communication seems to be a problem for many companies nowadays.

Things become more challenging to manage as your organization grows in size, and when it comes to training employees, sometimes, there can be information that gets missed.

Having this one centralized database of information can help to educate both existing employees and any new ones that come into the organization. It can save time, cut down costs, and aid that your business will benefit from when it comes to growing it over time.

Again, a knowledge base takes time to build, and there may always be something that you’re adding to it.

However, it’s better than leaving it unorganized and having your organization as a whole feeling unprepared and lacking the knowledge they need to improve your company.

Continue Reading

Trending