Newsletter 3/2015

Within this newsletter we want to inform you about the current publications of the PCI Council and other news from the IT compliance sector. The most important topics are:

1. PA-DSS Eligibility criteria
2. Best practices in PCI DSS v3.1 are now required
3. PCI DSS Designated Entities Supplemental Validation is published

PA-DSS Eligibility criteria

Payment application assessment and validation is the role of the PA-QSA Company.  As assessors you are the eyes and ears in the field. You have the unique ability to see into the environments in which these payment applications are running and determine whether an application is eligible for PA-DSS validation. The PA-DSS Eligibility Checklist is an excellent resource to have at your disposal and to share with your clients. We’re often asked if an applicable is eligible even though it doesn’t have access to clear-text cardholder data (CHD)/sensitive authentication data (SAD).  The short answer is, NO – the application will not be eligible for PA-DSS validation.

Best practices in PCI DSS v3.1 are now required

Please note that, when PCI DSS v3.0 was published in late 2013, Requirements 6.5.10, 8.5.1, 9.9, 11.3, and 12.9 were noted as “best practices” until 30 June 2015. All of these “best practices” are now requirements as of 1 July, 2015.

Here is a list of the items that will be audited in any assessment starting on July 1, 2015.

Verify that processes are in place to protect applications from vulnerabilities as listed in the requirement.

Additional requirement for service providers only: Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer.

Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.

Maintain an up-to-date list of devices. The list should include at a minimum the data items as defined in the requirement.

Periodically inspect device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).

Provide training for personnel to be aware of attempted tampering or replacement of devices.

Penetration tests must be performed against the new requirements of PCI DSS 3.1.

Additional requirement for service providers only: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.

PCI DSS Designated Entities Supplemental Validation is published

In addition to the release of PA-DSS v3.1, the PCI DSS Designated Entity Supplemental Validation (DESV) was also published in early June and is now available for use. The DESV provides organizations and assessors additional criteria for demonstrating how PCI DSS controls are integrated into business as usual processes to protect payment data from compromise on a continuous basis. These additional validation procedures are intended for entities that may be at greater risk of compromise (for example, those that process or aggregate large amounts of card data), but can also be used by other organizations to help ensure ongoing compliance and security throughout the year.

The additional validation steps in this document are organized into the following control areas:

  • Implement a PCI DSS compliance program
    Define a formal PCI DSS compliance program that manages all aspects of the business as usual components of the PCI DSS and addresses the annual assessments.
  • Document and validate PCI DSS scope
    Manage the PCI DSS scope and identify changes to the scope proactively.
  • Validate PCI DSS is incorporated into business-as-usual (BAU) activities
    Ensure that the PCI DSS controls operate effectively on a day-to-day basis throughout the year and are not re-activated just in time for the assessment.
  • Control and manage logical access to the cardholder data environment
    Perform a semi-annual entitlement review for all user accounts and access to system components to maintain nee-to-know.
  • Identify and respond to suspicious events
    React to identified and suspected incidents in a timely manner.

Provided that the above items are already formally documented and implemented, no additional work needs to be performed to meet validation steps.

The payment brands and acquirers determine which organizations are required to undergo assessment against the PCI DSS Designated Entities Supplemental Validation. For QSAs and ISAs wanting to understand whether your customer or organization is “designated” please reach out to the payment brands and acquirers in the same way as you would for any other compliance related questions.

Link to the supplemental document on PCI Council website

Questions? Please contact us!