You are here

PCI FAQ: Understanding the Update

Written by: John P. Monahan, CISA, AQSA, PCIP, A(ISC)2

In November 2018, the Payment Card Industry Security Standards Council (PCI SSC) released an updated technical FAQ surrounding the Card Protection and Provisioning Security Requirements that are outlined in the Payment Card Industry Data Security Standards (PCI DSS). The full text can be found here.

In this update, the PCI SSC outlines two major updates in the areas of logical security and physical security requirements. However, they also detail many other important questions that provide additional, timely clarification to the application of PCI security requirements within organizations. 

Logical Network Security

In logical security, access controls are extremely important. The FAQ answers many questions regarding this and spends a great deal of time ensuring that roles/responsibilities (principle of least privilege), protection and masking of data, and the handling of data is appropriate. These questions are geared toward encryption, key management, system monitoring, and vulnerability testing. These controls establish that data is being accessed appropriately, and that data that shouldn’t be accessed is protected from unauthorized access.

One of the most important questions comes in section 4.1.2 Confidential Data (pg.5). This question inquires about the four types of data related to credit cards—primary account number (PAN), expiration date, service code, and card holder data—and which pieces of data are considered to be confidential.  The PCI SSC states that the only element that is always considered confidential is the primary account number PAN; the others are not considered to be confidential unless they can be traced back to or are stored in conjunction with the PAN. Due to the nature of the data, if the PAN cannot be found, the other data is rendered useless and therefore the PAN is the most important and critical piece of data. This is why the PCI DSS stresses the importance of either encrypting this data, or not storing it at all. If stored, the data should adhere to the guidelines to ensure PCI data is handled by an authorized individual and destroyed to the point that it is not recoverable when it is no longer needed. 

Physical Security Controls

The Technical FAQ also reminds us of the importance of the physical security controls surrounding the High Security Areas (HSA), specifically revolving around external service providers, building security, and destruction of physical media. The FAQ stresses these controls due to the increase in reliance on vendor relationships and outsourced services. With either vendors hosting the storage of the data or a vendor doing work at your organization, the protection of the physical assets and data becomes increasingly important due to the amount of individuals with access to the data. The more people who have access to the physical assets, the more likely it is they will be mistreated.

Due to the rise around the Voice over Internet Protocol (VoIP) technology in organizations with credit card data, the PCI SSC communicates the significance of Voice over IP network segregation in the Q11 (pg.7) of the FAQ. The question asks whether or not VoIP technologies can be present/connected to the High Security Areas (HSA). Due to the inherent risk of VoIP networks connecting to the internet, the PCI SSC determined that VoIP technologies cannot be utilized in the HSA, but instead the HSA must be connected with either a telephone service or a public switch telephone network. If the organization wishes to have VoIP technologies active within the organization, these networks must be segregated from the HSA on separate virtual local area networks (VLAN’s) to ensure that card holder data is sufficiently protected and that the HSA cannot be easily accessed through the VoIP network.

Packaging and Delivery Requirements

The second major update comes in Section 5: Packaging and Delivery Requirements, Q57 (pg.31). This update revolves around delivering credit cards to destinations other than the issuer or an approved vendor. With the increase in corporate credit cards being purchased in recent years, the PCI SSC wanted to ensure that, when cards are ordered or sent to a destination that is different than that of the issuer (the individual or organization enrolling for the credit card), that the credit card data (card number, expiration, and CVV code) are protected and delivered to an authorized individual. For this to occur, the issuer or approved vendor must have a signed letter by the corporate officer indicating that the destination of the card shipment is acceptable, and that if the card(s) should be lost, stolen, or misplaced all liability would be placed on the issuer or approved vendor. Without this signed letter, the cards should not be shipped or delivered to the desired location.

If you’re interested in learning more about this topic, contact Will Nowik, CISA, CISSP, QSA, PCIP, CCSFP, Assurance Principal, at 617-428-5469 or WNowik@wolfandco.com.