Version 3.0 of the PCI Data Security Standard (PCI DSS) goes into effect by the first of next year, and it probably doesn't come as a surprise that merchants that process credit card payments are still confused about what the changes mean for them.
While most of the changes are simple clarifications of previous requirements, they could have a major impact on merchants as they touch on everything from the definition of scope and segmentation, to formally documenting responsibilities between merchants and service providers and controls for preventing tampering and skimming at the point-of-sale.
The scope definition has always been one of the thorniest issues within PCI compliance. Many merchants will say they are compliant simply because they ran a vulnerability scan on a handful of credit and debit card data systems. But performing an external vulnerability scan is just one sub-requirement out of over 200 in the PCI DSS.
Additionally, by only focusing on the systems that actually handle credit card data, you're ignoring all of the other potentially vulnerable servers and workstations that share a network with the credit card processing systems, which should be included based on the way the scope is defined within PCI DSS.
It's not necessary for attackers to go directly after the systems that contain credit card data, especially because most companies have a "flat network" where only the Internet connection is guarded by a firewall and every server has the ability to communicate without going through a firewall or other filter.
That means attackers just need to find the easiest way to breach the network perimeter, which helps explain why we see so many phishing attacks that trick a user into running malware that opens a backdoor into their device. The attacker can then use the compromised device to launch attacks on the credit card processing systems from behind the secured perimeter.
For this reason, PCI DSS compliance is required on systems including those that actually handle card data, all the unrelated systems that connect to the same network, and the systems that can affect their security (authentication servers, firewalls, web redirection servers, etc.). This has been clarified and made explicit in the scope section of 3.0 and may come as a shock to merchants that have only addressed compliance on the systems that directly handle card data.
PCI encourages merchants to implement network segmentation by using firewalls to protect their card data systems from unrelated and non-complaint servers and workstations, thereby keeping them out of scope. However, there is a concern that ineffective segmentation can lead to a false sense of security and inaccurate scoping.
The new 3.0 version requirement 11.3.4, effective July 2015, requires annual penetration tests to validate that the segmentation methods are "operational and effective." I suspect a majority of merchants will find their segmentation isn't as effective as they thought and may need to tighten the screws on their firewalls as a result.
Sign up for CIO Asia eNewsletters.