In order to protect customer data, banks and other institutions handling financial transactions and credit card holder data must adhere to PCI regulations. Many of these organizations would benefit from the value and operational efficiencies of virtual and cloud technologies, but feel constrained by current compliance requirements.
PCI 3.0, effective in January 2014, creates additional requirements that make this transition more opportune then ever.
For banks that feel caught between virtualization and regulation, it’s time to look at what changing PCI compliance standards really mean for the financial industry.
As most information technologists in the banking industry are probably aware, the PCI Security Standards Council published version 3.0 of its Data Security Standard (DSS) on November 7. Of course, the new standards are technically recommendations—for now. Businesses that handle payment information may choose whether to follow PCI DSS 2.0 or PCI DSS 3.0 until 2015 without facing penalties. The choice, however, is all or none. Making version “2.5” out of standards from 2.0 and 3.0 will not suffice.
Banks moving towards cloud and virtualized environments must embrace the new standards. Indeed, banks must recognize that standards are simply keeping up with the times by addressing the fundamentals of scope management, continuous monitoring and system administration in a world that overwhelmingly recognizes the cost advantages and operational efficiencies of virtualized computing.
PCI’s core elements, continuous monitoring and reducing the gap between security and compliance, make up an ongoing effort.
As part of this maturation process, organizations subject to PCI are increasingly responsible and subject to the activities and compliance measures pertaining to their CDE in the third party service provider.
In summary there are 3 key areas in which PCI 3.0 differs from 2.0:
1) Scope Management is Your Responsibility
Whether you use outside service providers or not, you are responsible for tracking the footprint of payment data. In the pre-virtualized world, the Cardholder Data Environment (CDE) was conveniently defined by physical servers. In a virtualized environment, the CDE defies the physical bounds of hardware.
However, for the purposes of an audit under 3.0, “To be considered out of scope for PCI DSS, a system component must be properly isolated (segmented) from the CDE, such that even if the out-of-scope system component was compromised it could not impact the security of the CDE.” (PCI DSS 3.0, pp. 10-11.). In other words, to prevent PCI auditors from raising an eyebrow, banks are expected to logically define the boundaries of their CDE.
And to be sure you’ve accomplished this, PCI DSS also requires you maintain: a) an up-to-date network diagram of the CDE and all connected networks, b) a diagram of cardholder data flows, and c) an inventory of systems components in scope for PCI DSS.
Many banks operating virtualized CDEs will put the auditors at ease by automating segmentation, diagraming and inventory with a virtual policy management system. If you use an outside PCI-compliant datacenter, do not assume that they have met these requirements. Mind your scope.
2) Continuous Monitoring is the New Norm
The name of the new PCI game is vigilance. Some payment card handlers are used to getting away with a quarterly check for vulnerabilities. Unfortunately, in a virtualized world, that’s like going on a diet and then not checking your weight until 90 days later. You will have no idea how incremental changes to the CDE potentially affect the grand picture of security.
You should always be able to answer the question, “Who has access to data?” Every time your organization modifies a web application or releases an app update, you must scan for new threats. We create vulnerabilities through progress, not stagnation. Particularly in an organization where the pace of development is aggressive, PCI DSS 3.0 compliance demands an equally aggressive monitoring program.
Continuous monitoring should cover all virtual assets and network activity, plus automatic enforcement of access controls and network configurations. Vulnerability management, including checks on the virtual machine and hypervisor configuration, should be part of this vigilance too. Under the new regulations, PCI compliance is continuous, not quarterly.
3) Virtual Administration Must be Refined
Without separation of duties, privileges are easily abused under virtual administration. Even a private virtualized environment must be regarded like the open range of a public cloud environment. Where virtual administrators can provision systems from beginning to end, the lack of checks and balances is liable to expose the CDE.
Simply put, separate and enforce permissions. Create a situation where human error can’t lower the drawbridge to an otherwise segmented, monitored and well-fortified CDE.
Virtualization not only provides a more efficient and effective way to manage your infrastructure needs, but also provides the opportunity to satisfy your compliance requirements in a software-defined world.
As payment card regulation catches up with the virtualized times, don’t allow regulation to pass or lap your bank. Where scope management, monitoring and virtual administration seem daunting, look for solutions that offer automation, efficiency and peace of mind. When it comes to PCI compliance, do what it takes to keep your customers safe, your auditors bored and your organization innovating.
Randal Asay is the chief technology officer of Catbird, a security solutions provider.