Jonathan Sander, VP of product strategy, Lieberman Software
Jonathan Sander, VP of product strategy, Lieberman Software

Any organisation which accepts card payments and therefore stores, processes and transmits cardholder data, is required by law to host this data securely with a PCI-compliant hosting provider.

At the end of October last year the Payment Card Industry Data Security Standard (PCI DSS) 3.1 was officially retired. Now many organisations are trying to understand the new 3.2 version controls, how these changes affect their operations and security and what actions they need to take before they need to make the move.

Several significant changes have been made which will need to be addressed; here are some of the highlights:

6.4.6: Ensure security controls are in place following a change in their card-holder data environment

The changes in version 3.2 are simply common sense, and 6.4.6 is no exception. The plain understanding of this is that as things change, security controls must change to accommodate and protect the new realities of the infrastructure. It is the security provider's responsibility to see and react to changes when they occur, whether or not the IT team decides to inform security or compliance teams.

10.8 and 10.8.1: Service providers need to detect and report on failures of critical security control systems 

Like with 6.4.6, 10.8 and 10.8.1 are rationale being put into the standard. If there is a failure on the control side, then there should be an immediate reaction. As much as the security controls are there to detect and respond to incidents, the control systems should allow teams to detect and respond to control failures that may expose vulnerabilities.

Having a solution which allows all components to be monitored by other systems, as well as being able to notify on discrete events from within can be useful in meeting this standard. When failure events occurrence you can send them to your SIEM or monitoring system of choice to ensure that if anything that goes awry, it will get the proper attention as soon as possible. 

12.11 and 12.11.1: Service providers must perform quarterly reviews to confirm that personnel are following security policies and operational procedures 

One of the most onerous parts of any regulatory compliance effort is the auditing to ensure that you are, in fact, meeting the requirements. These provisions are now stating this must be done at least quarterly. This will most likely drive more organisations to further automate their controls, since an automated control is very easy to audit. You review the policy that drives it for compliance to the regulation, you review the monitoring of the system to ensure that policy was correctly enforced (and with 10.8 and 10.8.1 this monitoring is now compulsory), and if the systems report that the control was successful, you are done. Compare this to the hours of reviews, reports, conversations, meetings, and other time wasters you need to use to ensure a manual process was followed. Automation will be the key not only to better security, but easier audits – especially as regulators see the wisdom of double checking the controls to ensure they are being properly applied. 

The bottom line

These aren't all the changes in the new version of PCI DSS, but these are the ones that affect security controls directly. As these regulations evolve, security providers should strive to lock down your critical resources and meet regulatory burdens like PCI DSS while they do it. CISOs and security providers alike need to keep their eyes open and apply automated, scalable approaches to security and compliance.

Contributed by Jonathan Sander, VP of product strategy, Lieberman Software