Third-party providers will face more stringent regulations as part of a revamp in payment card industry regulations due to go into full effect in the new year.
The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers.
The changes follow a string of high profile breaches, several of which including the most serious Target and Home Depot breaches were subsequently traced back to lax security controls at third party providers. In the case of Target, its heating and air conditioning subcontractor was implicated in the subsequent hack and the retail chain.
Hackers tricked workers at a Pennsylvania air conditioning firm to open a malware-laced email attachment, the first stage in a multi-stage hack that ultimately allowed crooks to plants malware on point-of-sale terminals at Target.
The similar Home Depot hack - which exposed 56 million customer credit and debit card accounts - was also enabled by credentials stolen from an unnamed third-party vendor. This compromised access was used to plant credit card siphoning malware on self-service point-of-sale terminals at Home Depot.
The two mega-hacks collectively illustrate how weak passwords, lack of two factor authentication and other poor third party provider security practices have enabled criminals to break into businesses’ infrastructure and steal customers’ information.
The new standard will oblige third party service providers to use a unique password when accessing each business to which they remotely connect as well as mandating the use of two-factor authentication for those connections. Or, as the PCI Council, puts it: "service providers with remote access to customer premises, [need to] use unique authentication credentials for each customer".
Other new requirements in PCI 3.0 (PDF) mean that any e-commerce merchants who redirect payments to a third party, even if they don’t touch any cardholder data, will be in scope for compliance with PCI 3.0.
The revised version of the standard was published in November 2013 but only became mandatory with looming expiry of Version 2.0 at the turn of the year.
"This is a big change for e-commerce merchants," explained security tools firm Trustwave. "It means they will need to fill out self-assessment questionnaires, fulfil the pen testing and vulnerability scanning requirements and complete the other aspects of the compliance process – even if they do not directly transmit card holder data."
Point-of-sale devices will now need to be inspected on a periodic basis to make sure they have not been infected.
Finally penetration testing requirements will be more stringent under PCI 3.0. Testers will have to follow a formal framework laid out by the PCI Security Standards Council. The person who tests the system cannot be the same individual who manages or administers the system.
Organisations handling credit card data are up against a tight deadline to meet PCI 3.0 compliance by the turn of the year. Organisations that haven’t already met 3.0 compliance are putting themselves at serious risk, according to cloud and IT services firm Coretelligent.
"Version 3.0 has been effective since January 2014, but organizations were given an extended deadline through the year as long as they met version 2.0 compliance requirements," explained Kevin Routhier, founder and chief exec of Coretelligent. "That extended deadline is about to expire.
"At this point, organisations that are still in the process of meeting 3.0 compliance are behind, and they are putting themselves at serious risk of a costly data breach, lawsuit and government and payment card issuer fines," he warned.
As previously reported, PCI 3.0 compliance comes an opportunity to move beyond a check-the-box compliance mentality towards encouraging a proactive, continuous effort to improve security.
"The biggest change to version 3.0 is that it introduces 20 new evolving requirements, where previous versions only introduced one or two evolving requirements," Routhier added. "These new evolving requirements are designed to ensure that the standards are up to date with emerging threats and changes in the market."
"There will absolutely be more data breaches in 2015 – possibly even more than we saw in 2014 due to the booming underground market for cyber-criminals around both credit card data and identity theft. Compliance doesn’t guarantee an organisation won’t be breached, but meeting compliance requirements and staying ahead of today’s evolving threat landscape significantly mitigates an organisation’s risk," he concluded.
PCI DSS has been the established payment card industry standard since 2006. Many infosec watchers have historically criticised PCI as simply offering a minimal security baseline, containing such advice as "use an antivirus" and "protect cardholder data", rather than adopting a more risk- or business-focused approach. Merchants are obliged to adopt the standard in order to avoid higher card processing fees in general and tougher fines in the case of problems.
Compliance for small merchants is possible through self-assessment but larger firms are obliged to hire independent Qualified Security Assessor to run independent audits. ®