When the PCI Security Council issues its new payments security requirements on Thursday (April 28), it is going to impose new rules about authentication and service providers. What is intriguing about the new edicts in 3.2 is the council's new acknowledgment that to protect payment, protections have to happen in the larger corporate universe.
For quite some time, the rules have required multifactor authentication for people who work directly with any payments data. Bowing to real-world reality, PCI will, as of Thursday, insist on multifactor authentication for anyone whose network access privileges might possibly enable them to touch payments data, whether it's their job or not. In other words, the universe of people who will have to abide by PCI rules just got a lot larger.
PCI Chief Technology Officer Troy Leach said that expanding the people impacted far beyond those who have payments data jobs is now necessary.
"The most important point is that the change to the requirement is intended for all administrative access into the cardholder data environment, even from within a company’s own network. This applies to any administrator, whether it be a third party or internal, that has the ability to change systems and other credentials within that network to potentially compromise the security of the environment," Leach said. "This will not impact machine authentication where one system is communicating with another as it is intended for personnel authentication, nor will it impact administrators accessing directly from the console."
The new rules don't stop there. Service provider companies who also may not have direct work-related interactions with payments data are also now PCIed.
"An organization could go to great lengths to protect their internal network only to see a third-party negate all of their effort as indicated in data breach reports. That is why several new requirements were identified for service providers in PCI DSS 3.2. These new requirements should already be part of service providers’ efforts to successfully manage the effectiveness of security within the cardholder data environment," Leach said. "These include actions such as maintaining a documented description of the cryptographic architecture and reporting on failures of critical security control systems. In addition, there’s a new requirement for executive management to establish responsibility for protection of cardholder data and the PCI DSS compliance program."
The point? Either wall off your payment data so that no one beyond the small set of authorized persons can get access, regardless of network privilege, or force everyone to play by PCI rules. Here's the kicker: They already should have been playing by PCI rules. As much as PCI is far from perfect, its guidelines are indeed very well-thought-out best practices for retail and, as a practical matter, just about every vertical.
A fair criticism of PCI is that it doesn't go far enough and therefore fuels checklist security. But that also means that strict adherence to PCI rules are nothing more than abiding by minimal standard security mechanisms. Let's consider the first change mentioned: multifactor authentication, which means no more allowing a simple password to stand between your most sensitive data and bad guys.
The only security problem I could see with that rule might be, "You didn't mandate this until late April 2016? What drugs are you on?"
As for applying these rules to third parties that might impact your network, I think Target's air-conditioning subcontractor kind of wraps that one up. Enterprises of all kinds today need to extend their most stringent security rules as far as they can, up and down their supply chains, to every contractor and every one of their contractors' contractors.
Last year, a major U.K. bank did some deep searches on the dark web and found a folder with more than 3,000 of its internal documents, including the ultra-sensitive design of its ATM networks. The leak was eventually traced to some network-attached storage that was misplaced by an ATM firm that had merely bid on doing some ATM work for the bank. As part of the confidential bidding process, the bank had shared technical details with bidders.
As soon as you realize that your security net must not merely cover all employees, contractors and subcontractors, but people who were just auditioning — unsuccessfully — to become a contractor, the sooner you'll see that these new PCI rules are not only acceptable, but don't go nearly far enough. But at least they're getting closer.