Written by: JOHN P. MONAHAN, CISA, AQSA, PCIP, A(ISC)2
In November 2018, the Payment Card Industry Security Standards Council (PCI SSC) released an updated technical FAQ surrounding the Card Protection and Provisioning Security Requirements that are outlined in the Payment Card Industry Data Security Standards (PCI DSS). The full text can be found here.
In this update, the PCI SSC outlines two major updates in the areas of logical security and physical security requirements. However, they also detail many other important questions that provide additional, timely clarification to the application of PCI security requirements within organizations.
Logical Network Security
In logical security, access controls are extremely important. The FAQ answers many questions regarding this and spends a great deal of time ensuring that roles/responsibilities (principle of least privilege), protection and masking of data, and the handling of data is appropriate. These questions are geared toward encryption, key management, system monitoring, and vulnerability testing. These controls establish that data is being accessed appropriately, and that data that shouldnโt be accessed is protected from unauthorized access.
One of the most important questions comes in section 4.1.2 Confidential Data (pg.5). This question inquires about the four types of data related to credit cardsโprimary account number (PAN), expiration date, service code, and card holder dataโand which pieces of data are considered to be confidential.ย The PCI SSC states that the only element that is always considered confidential is the primary account number; the others are not considered to be confidential unless they can be traced back to or are stored in conjunction with the PAN. Due to the nature of the data, if the PAN cannot be found, the other data is rendered useless and therefore the PAN is the most important and critical piece of data. This is why the PCI DSS stresses the importance of either encrypting this data, or not storing it at all. If stored, the data should adhere to the guidelines to ensure PCI data is handled by an authorized individual and destroyed to the point that it is not recoverable when it is no longer needed.
Physical Security Controls
The Technical FAQ also reminds us of the importance of the physical security controls surrounding the High Security Areas (HSA), specifically revolving around external service providers, building security, and destruction of physical media. The FAQ stresses these controls due to the increase in reliance on vendor relationships and outsourced services. With either vendors hosting the storage of the data or a vendor doing work at your organization, the protection of the physical assets and data becomes increasingly important due to the amount of individuals with access to the data. The more people who have access to the physical assets, the more likely it is they will be mistreated.
Due to the rise around the Voice over Internet Protocol (VoIP) technology in organizations with credit card data, the PCI SSC communicates the significance of Voice over IP network segregation in the Q11 (pg.7) of the FAQ. The question asks whether or not VoIP technologies can be present/connected to the High Security Areas (HSA). Due to the inherent risk of VoIP networks connecting to the internet, the PCI SSC determined that VoIP technologies cannot be utilized in the HSA, but instead the HSA must be connected with either a telephone service or a public switch telephone network. If the organization wishes to have VoIP technologies active within the organization, these networks must be segregated from the HSA on separate virtual local area networks (VLANโs) to ensure that card holder data is sufficiently protected and that the HSA cannot be easily accessed through the VoIP network.
If youโre interested in learning more about this topic, contactย Will Nowik, CISA, CISSP, QSA, PCIP, CCSFP, Assurance Principal,ย atย 617-428-5469 orย [email protected].
