PCI DSS: Are you meeting the new mandatory requirements.
Geraint Williams
CISO @ Modern Networks - Protecting Modern Networks and its clients. Franchise Owner @ Going Digital East Anglia · Part-time photography and coach
On the 31st January 2018 a number of the requirements in the PCI DSS v3.2 become mandatory; which means since that date you should have the relevant controls in place to meet those requirements. The standard requires for the controls to be in place from at least the end of January and not left until your certification renewal date.
For all organisations you should have implemented the following if applicable
- Requirement 6.4.6 requires your change management processes be enforcing that upon the completion of a change, all relevant PCI DSS requirements on any in-scope system, process or documentation has been updated as applicable
- Requirement 8.3.1 requires all administrative access to the CDE across your own network should have multi-factor authentication (MFA) in place that meets the requirements of the PCI DSS. The SSC have published a guide on the use of MFA, the implement MFA should be using at least two out of the three authentication methods and not the same method twice and there needs to be independence between the authentication methods used.
For service providers the following should be in place if applicable
- Requirement 3.5.1 requires a documented description of your cryptographic architecture that details all the algorithms, protocols and keys used to protect the storage of card data that includes details such as the key strength and expiry dates of keys and certificates. It should detail what the keys are used for to ensure the correct strength keys are being applied and you need an inventory of all components used in protecting keys ie Secure Cryptographic Device (SCD) or hardware security module (HSM).
- Requirements 10.8 and its sub requirement 10.8.1 require a policy, procedure and process in place to detect and respond to failures in your critical security controls, a list of common critical security controls is given in the requirement, but the list is not definitive and other security controls such as patching should be monitored. The response should include how security functions are restored, documented, analysed, risk assessed, remediation requirements and lessons learnt.
- Requirement 11.3.4.1 requires service providers to perform penetration testing on segmentation controls; if there are used; at least every six months. All service providers will need to of completed a penetration test of their segmentation controls within six months of the requirement becoming effective and 1st August 2018.
- Requirement 12.4.1 requires the establishment of a PCI compliance programme with responsibilities for the programme defined, it should also define how the executive management are informed of the state of the compliance programme by periodic updates. There is a requirement for a charter document to cover the establishment of accountability and communication to the executive management that is signed by the executive management.
- Requirement 12.11 requires you to be holding at least quarterly reviews to confirm personal are following security policies and operational procedures. It is now coming up to 3 months after deadline when the requirement became mandatory. Have you held you first review yet? Your compliance status is in jeopardy if you haven’t. A QSA conducting a RoC on a service provider is expecting to see evidence of the quarterly reviews since 31st January 2018 for you to be compliant even if the audit is being conducted in December of this year.