The Payment Card Industry Data Security Standard (PCI DSS) is constantly evolving, and it’s important that you and your team are staying up to date on all changes and enhancements to the requirements to ensure compliance. One of the best ways to ensure you are appropriately interpreting the guide is to get clarification from a Qualified Security Assessor (QSA). Below are three questions that we have encountered related to the updated standards, and our advice and best practices that will help you maintain your compliance.
Q: What is your take on CDE scope and VoIP systems?
VoIP systems are different from a traditional analog phone line in that data is moving through your organization’s internal network and potentially being stored on servers. This increases the availability of that data to others in the organization, and subsequently increases potential for unauthorized access to that data. Unfortunately, lots of systems don’t encrypt this data, assuming your system is a “trusted environment”. This leaves your data open for attackers to access through different network vulnerabilities.
Related to this is call-center data management. Most call centers will record their calls, which may have cardholder data or sensitive authentication data included. This also means that this information is now being stored on their networks, and it is explicitly prohibited to store sensitive authentication data (information like CVV codes and card expiration dates) after a transaction has been authorized.
There are a few things you can do to manage the vulnerabilities associated with your VoIP system. First, it’s important that your VoIP system is on an isolated VLAN (Virtual Local Area Network) with appropriate Access Control Lists (ACLs) in place. This keeps people with network access from being able to interact with your VoIP data. This also helps reduce scope creep. While the VLAN will be in scope, removing it from your organization’s other networks means those networks are now out of scope. Remember – your cardholder data environment is any system that stores, transmits, or processes cardholder data, as well as any system that could affect the security of those systems.
It’s also important that you monitor the content of the VoIP calls. Understanding what cardholder data or sensitive authentication data is sent through phone calls will give you a better sense of what controls need to be in place to secure your environment. Know if your calls are being recorded, and if so, how long they are being archived. Is any of your data being masked, or are the recordings being paused to prevent sensitive data from being stored? The better you know your systems and processes, the better chance you have of meeting your compliance requirements.
Q: What challenges have your clients faced as they implement the new requirements?
There are 9 new requirements that were implemented on January 31st, 2018. While all of these changes are relevant to service providers, only two of them are relevant to the merchants themselves. One of the more interesting changes is the addition of more recurring requirements. These requirements have a duration associated with them, stating that actions need to be executed quarterly or biannually. The addition of so many recurring control reviews is meant to increase the attention given to PCI compliance. An organization can no longer suffice to have an annual PCI review and consider their work done. If it hasn’t happened yet, you can expect your PCI review to now be an ongoing, perpetual process.
These changes, while they may seem like more monitoring and auditing work, can help to increase efficiencies within your monitoring program. Instead of scrambling at the last minute to get your audited information, you will have amassed all your evidence throughout the year as you perform your regular monitoring activities.
Another new requirement that can cause some trouble is the PCI committee. Instead of having a single person responsible for maintaining your PCI compliance, the requirement asks that a PCI committee be developed who are responsible for designing, implementing, and monitoring the controls in place at your organization. It’s important that the people in this committee come from varying business units within the organization. This strengthens your compliance culture across different departments and gives a more thorough understanding of the processes and procedures involved in PCI compliances.
Q: Mobile devices play a bigger role than ever in being able to serve customers. How does this impact PCI compliance?
Mobile devices give your customers the ability to interact with your organization in more ways than ever before. The added functionality definitely brings with it new security and compliance concerns. Here are a few things you will want to keep in mind.
Depending on how they’re being used (whether on a wireless or cell phone connection), you’ll want to be sure that the data is encrypted across any untrusted networks. You will also want to be sure that you have the appropriate protections in place both in and around your network to secure your data. This includes a firewall between the CDE and the network, the exclusion of unauthorized devices, and monitoring activities in place.
You will also need to understand what data is being stored, and how it is protected on the device itself. Ideally, there will be nothing stored, but if there is, the data will need to be encrypted and protected at rest on those machines. There are approved Point to Point End encryption (P2PE) solutions that you can utilize to simplify compliance efforts. Utilizing one of the approved P2PE solutions, and following the approved implementation guide will actually remove this area from scope for your organization.