With all of the turmoil that is breaking out right now in
the Ukraine, all Cyber eyes have been pretty much on that. But keep in mint that there is plenty happening
here too, in the United States. The
fears of attacks to Critical Infrastructure are growing every day, and
Ransomware attacks still persist.
Because of all of this, the stakes of holding PII datasets
is growing even more menacing as well.
For example, the data privacy laws of both the GDPR and the CCPA are now
starting to take full bite, with audits and penalties now starting to take
place.
This was largely ignored during the height of the COVID-19
pandemic, but now since that seems to be coming down, the auditors are now
really ramping up. But there is one regulation
out there which has not received so much limelight until now. And that is the PCI
Standards Security Council set of standards, also known as the “PCI DSS”.
Essentially, this is a consortium of the major credit card
companies (which includes the likes of Discover, Master Card, VISA, American
Express, and the JCB), and the major goal is to ensure that a strict set of
guidelines are implemented when it comes to the protection and usage of the
credit card information and data of each and every card holder.
This consortium was founded in 2006, and in fact, there is a
dedicated website in which you can get much information on, and the link for that
is:
https://www.pcisecuritystandards.org/
The PCI DSS has set forth some very strict and specific standards
when it comes to safeguarding to the PII datasets, and the types and kinds of
controls that the major credit processors have to implement. A future blog will examine this much more
detail.
Just like the GDPR and the CCPA, every few years, the PCI DSS
also updates their own set of standards, and the last version to come out was
back in back in 2018, known technically as “v3.2.1”. But just last week, the most recent version
came out, and this is now known as “v4.0”.
The primary reason for this new cut is the amount of credit
card fraud that took place during the COVID-19 pandemic, the sheer rise of making
online purchases on wireless devices, and the deployment of customized shopping
carts on the major Cloud platforms such as that of the AWS and Microsoft Azure.
While the overall structure of the PCI DSS standards have not
changed in v4, a few more general enhancements were made to it, especially addressing
the need for credit card processors to make their security models into a continuous
one (this essentially means maintaining a proactive mindset), and adding extra
sets of validation procedures and methods.
But there are two key differences with v4 than with the previous
versions, and they are as follows:
*Online merchants can now make use of what is known as “Customized
Implementation”. This simply means that
the online merchants can now custom create and implement those controls that will
be used to protect the PII datasets.
But, if this option is chosen, there will be much scrutinization by the
auditors of the PCI DSS to make sure that these customized controls do actually
meet the pre-established standards.
*The Identity and Access Management (IAM) methodologies as set
forth by the NIST Special Publication 800-63B will also be strictly enforced as
well, and credit card processors as well as the online merchants will have to implement
the following:
Ø
Multifactor Authentication (MFA);
Ø
Passwords have to be changed on at a minimum every
12 months;
Ø
Longer and more complex passwords have to be
created (consider the use of a Password Manager here);
Ø
Access controls and the respective privileges
that are assigned have to be reviewed at least once every six months (of course
the more, the better);
Ø
Access for contractors or other third-party
vendors can be granted only on an as needed basis.
As one can see from the above, PCI DSS consortium is slowly
moving towards adopting the Zero Trust Framework. Also, a brand-new security standard will also
be strictly enforced and this is known as the “PCI 3DS Core Security Standard”. More details about this can be seen at the following
link:
https://blog.pcisecuritystandards.org/what-to-know-about-the-new-pci-3ds-core-security-standard
Also, details on the NIST Special Publication can be seen
here at this link:
https://pages.nist.gov/800-63-3/sp800-63b.html
Also, any credit card information and data that is stored in
cleartext will have to be eliminated with the ramp up v4.
My Thoughts On This:
The good news here is that v4 will not be fully enforced
until at least 2025, which will give the online merchants time to get readjust and
calibrate their existing transaction and storage processes. The language that is contained in v4 will be
translated into different languages as well, and this is expected to be completed
by this summer.
Interestingly enough, the older version, v.3.2.1, will still
have effect for two years after v4 is being rolled out. But after that it, will be totally phased out
and v4 will take full force. A diagram
for the implementation of v4 is illustrated below:
Once again, one of the key differences of v4 compared to the
other versions is that the online merchants now have a greater flexibility in the
types of controls that they need to implement.
But nobody should be caught off guard by this, because the compliance standards
and enforcement expectations will be much higher in this regard.
No comments:
Post a Comment