When it comes to compliance, especially as it relates to web application security, the Payment Card Industry Data Security Standard (PCI DSS) is usually the main topic of discussion. Unlike the more vague government regulations such as the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, PCI DSS is very prescriptive.
PCI DSS and its sister regulation PA-DSS provide guidance on exactly what’s expected in terms of how web applications and related systems that process or store cardholder data must be secured. This is beneficial to the entire payment card industry because it helps ensure that everyone is on the same page and leaves little room for interpretation.
Well, the next chapter in PCI compliance has just begun. Over three years after PCI DSS version 2.0 was released, the PCI Security Standards Council (SSC) has published its latest updates in PCI DSS version 3.0. These new standards take effect on January 1, 2014. But don’t be alarmed. The version 2.0 standards will remain in effect through 2014. Therefore banks, merchants, processors and other affected entities will have until 2015 to align themselves with PCI version 3.0’s requirements.
So, how does the new PCI DSS 3.0 standard impact you and your business in terms of web application security? The essence of PCI DSS remains the same:
1) build and maintain a secure network and systems
2) protected cardholder data
3) maintain a vulnerability management program
4) implement strong access control measures
5) regularly monitor and test networks
6) maintain an information security policy.
What’s different about PCI DSS 3.0 is the guidance around integrating its requirements with business processes and enhancing security assessments to ensure all areas are properly addressed. In fact, a new section in PCI DSS 3.0 titled Best Practices for Implementing PCI DSS into Business-as-Usual Processes states the obvious yet it’s something that’s often taken for granted:
“PCI DSS should be implemented into business-as-usual (BAU) activities as part of an entity’s overall security strategy.”
The business-as-usual integration section also highlights the importance of proactive monitoring, timely response, managing changes, and periodic reviews to ensure PCI DSS’s requirements are actually made part of everyday business operations. Again, they’re stating the obvious. However, if you look at web security breaches, the underlying causes are, in most cases, due to a failure in one or more of those areas of security management.
The following are the new requirements in PCI DSS 3.0 that the PCI SSC has made note of:
Requirements 8.5.1, 9.9, 11.3, 11.3.4, and 12.9 above will be considered “best practices” to follow by the PCI SSC until July 1, 2015 when they will be enforced. The same goes for the web application-specific Requirement 6.5.10 (Broken authentication and session management).
Regardless of how you look at it, practically all of the changes in PCI DSS version 3.0 impact web application security in some way. Looking specifically at the one requirement that impacts web application security the most (Requirement 6: Develop and maintain secure systems and applications) you need to be aware of the following:
All in all, PCI DSS version 3.0 is more of the same with a bit more business-centric substance and practical guidelines. If you have a strong information security program in place, you’re likely already addressing the new requirements. If not, there’s obviously some work in order. You have a year, but as we’re continually reminded working with web application security, time goes by quickly and things are harder to change than we think they’re going to be.
The time to get started with PCI DSS 3.0 compliance is now. Download it, scan your websites and web applications with Netsparker Web Application Security Scanner and generate PCI DSS version 3 compliance report to start to familiarize yourself with it. The deadline will be here before we know it.
And to ensure that your web applications and business operations are secure and PCI compliant at the same time, follow our complete guide to PCI DSS compliance.