Clarifying the new PCI DSS 3.2 Requirements for Service Providers

The process of securing cardholder data is a shared responsibility amongst multiple parties that play a role in the card transaction process. They include merchants, processors, acquirers, backup tape storage facilities, issuers and service providers just to name a few. All of these entities play a part in the far-reaching responsibility of protecting consumer data. The Payment Card Industry Data Security Standard or PCI DSS is the roadmap that they can turn to in order to prevent the compromising of primary account numbers (PAN) and other sensitive consumer credit card information.

Merchants may utilize a variety of service providers to support their businesses. These service providers of course have varying levels of exposure to the card transaction process. A managed services provider obviously plays a lesser role in data card transactions than does a payment processor. Despite their differing levels of involvement and exposure, it is important that all service providers be aware of their responsibilities in the shared security process. The PCI DSS defines a service provider as:

“any business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data.”

Service providers are responsible for demonstrating PCI DSS compliance in one of the following two ways:

1. Annual assessment:

Service providers can undergo an annual PCI DSS assessment(s) on their own and provide evidence to their customers to demonstrate their compliance

2. Multiple, on-demand assessments:

If they do not undergo their own annual PCI DSS assessments, service providers must undergo assessments upon request of their customers and/or participate in each of their customer’s PCI DSS reviews, with the results of each review provided to the respective customer(s)

PCI DSS is comprised of 12 sections of security requirements:

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protecting stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restricting access to cardholder data by business need to know
8. Identity and authenticate access to system components
9. Restrict physical access to cardholder data
10. Tracking and monitor access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for all personnel

Some of the DSS requirements strictly apply to service providers. We have listed those specific PCI DSS requirements below.

3.5.1 Maintain a documented description of the cryptographic architecture including the details of all algorithms, protocols and keys used for the protection of cardholder data as well as a description of the key usage of each key as well as an inventory of any host (or hardware) security modules (or HSM) and other Secure Cryptographic Device (or SCD) used for key management. Securing cryptographic keys is as imperative to the data protection process as the actual encryption process of the data. Without the encryption keys, data that has been illegally obtained is unreadable.

8.5.1 Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer. The importance of this cannot be ignored. Earlier this year, over 300,000 patient records were stolen due to a breach of multiple health organizations across the U.S. due to a cloud application vendor who utilized identical credentials for all of those organizations. Using the same password may be convenient, but can exponentially expand the impact of sensitive data theft.

10.8 Implement a process for the timely detection and reporting of failures as it applies to critical security control systems such as firewalls, IDS/IPS, FIM, anti-virus and physical/logical access controls, audit logging mechanisms and segmentation controls. Without formal processes to detect and alert when critical security controls fail, failures may go undetected for extended periods and provide attackers ample time to compromise systems and steal sensitive data from the cardholder data environment.

10.8.1 Respond to failures of any critical security controls in a timely manner and must include

• restoring security functions, identifying and documenting the duration (date and time start to end) of the security failure,
• identifying and documenting cause(s) of failure, including root cause, and documenting remediation required to address root cause
• Identifying and addressing any security issues that arose during the failure
• Performing a risk assessment to determine whether further actions are required as a result of the security failure
• Implementing controls to prevent cause of failure from reoccurring
• Resuming monitoring of security controls

If critical security control failures alerts are not quickly and effectively responded to, attackers may use this time to insert malicious software, gain control of a system, or steal data from the entity’s environment.

11.3.4.1 If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods. Validation of PCI DSS scope should be performed as frequently as possible to ensure PCI DSS scope remains up to date and aligned with changing business objectives.

12.4.1 Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program which must include overall accountability for maintaining PCI DSS compliance and defining a charter for a PCI DSS compliance program which is communicated to executive management. Executive management assignment of PCI DSS compliance responsibilities ensures executive-level visibility into the PCI DSS compliance program and allows for the opportunity to ask appropriate questions to determine the effectiveness of the program and influence strategic priorities.

12.9 Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment. This is intended to promote a consistent level of understanding between service providers and their customers about their applicable PCI DSS responsibilities.

12.11 Perform reviews on a quarterly at the minimum in order to confirm personnel are following required security policies and operational procedures. Reviews must cover the following processes:

• Daily log reviews
• Firewall rule-set reviews
• Applying configuration standards to new systems
• Responding to security alerts
• Change management processes

Regularly confirming that security policies and procedures are being followed provides assurance that the expected controls are active and working as intended.

12.11.1 Maintain documentation of quarterly review processes, including the results of those reviews which also must be signed by the personnel who are delegated the responsibility for the PCI DSS compliance program. The intent of these independent checks is to confirm whether security activities are being performed on an ongoing basis.

As was the case with previous versions of the PCI DSS, some requirements have additional testing procedures for Service Providers and Shared Hosting Providers also have to address Appendix A1 or the PCI DSS to ensure full compliance with the standard. Since these are not new requirements, they were not discussed in this article.

The Internet is often referred to as everyone’s stuff connected to everyone’s stuff and often times the lines of responsibility between merchant and service provider can become blurred when it comes to card transactions. The convergence of multiple parties can complicate the security process, but careful adherence to PCI DSS and third-party vendor management can make the practice of protecting the cardholder data a lot simpler.

To learn more about third-party vendor management, contact HALOCK.