Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: A PCI 4.0 Interview (Part 2)
Quick Take
On this special two-part episode of Compliance Unfiltered, the CU guys are proud to welcome in Steve Levinson, VP of Risk & Security and Sherri Collis, Director of PCI Services of Online Business Systems, to chat about PCI 4.0.
Online has been a friend of TCT and formidable name in the PCI space for many years. In Part 2 of 2, Steve and Sherri share their insights on all the requirements for 4.0, completely with color commentary! Wondering what organizations should do about readiness? Steve and Sherri have you covered their as well.
And don’t forget to go back and listen for part 1 of our PCI 4.0 conversation with Sherri Collis and Steve Levinson of Online Business Systems, if you haven’t already!
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside a man who is assuredly the hollandaise to your compliance benedict, Mr. Adam Goslin. How the heck are you, sir? You’re making me hungry now. I tell you what, you are not the only one hungry for more. That’s right, it is part two of our two-part series with the folks over from Online, Mr. Steve Levenson and Ms. Sherri Collis.
Thank you so much for your time today. We’re excited to continue the conversation with you about PCI version 4.0. How are you today? I’m doing great, very happy to be here. Fantastic. Wonderful, thank you for having us. Indeed, indeed. For those who hadn’t joined us yet, please feel free to go back and subscribe to the podcast. Listen to part one of this series to catch you up to speed.
Steve is the VP of Risk and Security for Online, and Sherri is the Director of PCI Services. So, let’s run through some of the requirements, starting with requirement one, and then let’s have you transition through the remaining requirements and dependencies.
I’m sure Adam’s going to jump in along with some additional questions as we go. Very good. So, as we get started, we’ll just jump right in with requirement one, which is all about network security. The good news with one is that it’s just simpler and cleaner.
It does apply to all methods of connectivity and segmentation and even CDE wireless must be segmented from the CDE or within the CDE. One thing to remember is that your firewalls protect you from external coming into your CDE, but 80% of your traffic happens inside your networks and your firewalls. So you need to be very careful, look at segmenting to prevent lateral movement and make sure you test for vulnerabilities before you attach to the network. There really aren’t significant changes in requirement one. A good thing also about requirement one, if you just apply our modern day reality to this is there’s a lot of folks out there that are probably more concerned with you know with malware and ransomware, than they are with PCI, and this is where really strong and effective network segmentation comes in quite handy. So a lot of times since you have to do these things anyways in the world of PCI it’s a good thing to do, I’m not saying just preventing ransomware, but it certainly can help spread the you know spread the attack or slow it down. Yeah and certainly some of the things I’ve seen in you know in environments over the over the years is you know is that kind of close attention to you know, how do I want to segment you know this particular network so that I can you know, so that I can mitigate you know threats to the environment um you know certainly a stronger focus there isn’t gonna harm anybody. Oh not at all you’re right.
On requirement two it’s also not significant change however you might be able to create some efficiencies based on what has changed so they are, now they’ve added the recognition that you can have more than one primary function per server because some, some for some applications and things are really difficult to separate, or services like active directory and DNS so you can now have things live on the same server so you can get rid of some of your servers and you know stop having to put antivirus and do vulnerability scanning and deal with all of that you would have to, to keep the server running. There’s a caveat to that and the caveat is that you have to look at the server that needs the most secure uh coverage over it. So if you have one that has credit card data then any other service that is running on that has to be at the level of the most sensitive data so you would have to make sure that the entire server was covered based on the most sensitive information. We listened to a forensics investigator speak at a community meeting, and one of the things that they brought out, we see configuration standards that aren’t all that explicit quite often. And one of the points that they made is that if you don’t know which software and services should be running on your devices, it’s very difficult to detect what shouldn’t be there. So I would say you might want to just start looking at your configuration standards and make sure you truly know what should be there. And we’re always supposed to be removing what should not be there.
But I would say, it’s something that we maybe haven’t done as good as we possibly could have through the years. Yeah, one of the things here that I’ve seen over the years is that, you know, these organizations going down, especially in the, you know, the hardening standards or configuration standards, you know, I got, you know, I got, I got a good piece of advice in the early days, if you will, which is, you know, you kind of take it, if you take an objective or if your hardening standards are effective, if the machine blew up, and you had to recreate this thing, what exactly, precisely, what would you need to go do, change? What settings do you flip? What, you know, what software is on there? What are you installing? Like, literally a rebuild of the of the device, if you can accomplish that through those, you know, through those hardening standards, then, you know, you pretty much hit the mark in terms of, you know, what’s needed, obviously, if it’s in alignment with some type of a, you know, kind of an industry standard. So, you know, that was always good advice that I’d gotten, you know, kind of back in the day. You know, and I would, I was just going to say that, that in addition to that, one of the things that, that you need to worry about. Sherri, you there? I’m sorry yeah, one of the things also is, you know, it’s one thing to have your, your server stop, and you need to put everything back on it, you need to configure it. What happens if it happens in the middle of the night, you’re not on site, and you’ve got some part time person, or, you know, a night person who doesn’t usually build a server, and now they’re in the position to have to, how do they know how to harden it? So, it’s really important from that perspective as well. Yeah, go ahead. I’m going to add to that, you know, a lot of times, the issues aren’t so much that the machine blows up, although that’s certainly an issue, but it’s when you have turnover, right? And let’s face it, you know, most companies have some degree of turnover, and could end up with someone that is not up to speed as good as they could be if there wasn’t some sort of turnover. We used to say, what if somebody got hit by the bus, but that sounds too morbid. Now we just meet in the middle and said, what if they get hit by a lot of the bus? But if you think about it, that’s kind of the standard, I’d say, for documentation. If somebody else had to pick it up from ground zero, could they do it?
Yeah, yeah, exactly. So switching over to requirement three, it is a significant change in requirement three. Requirement three deals with protecting your account data at rest. So they’re now saying that if you have sensitive authentication data at rest, even if storage is temporary and it’s before authorization, it has to be encrypted. And if you are, if this account data is stored via a third party service provider, they’re responsible for working with them to determine how they meet this requirement for you. So that’s very important that you get that piece done.
So let me ask you this, Sherri. Trick question, under what circumstances is it even okay for somebody to have, you know, the SAD, the sensitive authentication data? I would say after authorization, it’s actually okay for an issuer, or if you’re supporting an issuer.
If you’re not supporting an issuer, then you shouldn’t have it. Please read, it’s the hot potato. Right, exactly. And Sherri, one point of clarity on that, and that is that you talk about, you know, protecting it at rest, even if it’s temporary. When they make that statement, are they talking about if it’s temporarily, literally stored to disk? Or are they talking about temporary memory storage as well? They’re talking about temporary memory storage as well. That’s gonna get exciting. It is, we don’t know how we’re gonna do that one. That’ll be a pretty big change for a lot of organizations. Another thing is you now have to use technical controls to prevent copying, local storage, and other easy exfiltration of your cardholder data. So that’s also potentially a budget hit to actually do technical controls to prevent that from happening. People who are using a jump server, that’s great. The Citrix server really takes care of a lot of that for you, but if you’re not, that’s also gonna be quite the challenge. Sure, no, it’s that when they express technical controls, You’re talking about like DLP software having that implemented? That could be one of the things. They don’t specify that, but that could help. Excellent. Yes, yes, right. Another thing they’re saying is that you cannot use full disk and volume encryption for servers. It can only be used on removable media. So a lot of that, and that’s also for disk level partition and partition level encryption. So if you’re a database administrator, when you log into your device, and if you walked away from your system, because it would be based on OS, then people could actually get onto your system and get your credit card information off of the database because they can see it. So they’re saying that you need to make sure that any full disk volume encryption, disk level, partition level, is only done for removable media. And I don’t know that that’s going to affect a whole lot of our client base, but it’s still a little bit of work to do.
Sure, I agree. Over the years, we’ve seen less and less folks resort to disk level encryption, but still good to be aware of that. Sherri, when you make that comment, you’re talking about they can’t just, just use full disk and volume encryption. They have to actually be encrypting the data, but there isn’t a problem if they have data layer encryption and happen to have the disk encrypted as well, correct? Correct. Okay, awesome. But again, you can only use the full disk and volume encryption if you’re using removable media. Got it, yeah, with you. Another thing that they’re saying for requirement three is that hashes used to render your credit card number has to be cryptographic hashes of the entire pan or the personal account number. And you have to have your associated key management processes and procedures. So you can’t just hash the middle numbers that you never can expose. You have to do the entire pan. Gotcha. And they’re also saying that you have to prevent the use of the same cryptographic keys and prod and test. So you definitely have to have different keys in your production environment from your test environment and manage them accordingly. That makes logical sense. Right? And they are saying that secure sensitive authentication data stored by issuers must be encrypted using strong cryptography, which we kind of mentioned a moment ago. Okay. And then also you have to have a documented description of your cryptographic architecture that includes the prevention of the use of cryptographic keys in prod and test environments. Very good.
Yeah, so those are… changes that could potentially cause some hiccups, and one other thing that I will say is the forensic investigators also told us that you know let me specify they are people who go in when there is a credit card data breach not just breaches in general but this is specific to credit card data breaches two percent of the breaches that have occurred or caused or contributed to by requirement three so it’s not that many but it’s still two percent of those breaches sure requirement four is not a significant change but it’s going to take effort and the council has warned people start now so you’ve got to have an inventory and track your keys, the keys and certificates that you use to secure your account data in transit. And this would include self-signed certificates. And many of those of us who’ve been in the business for a long time, the council never really addressed specifically self-signed certs. Now they are. They’re saying they are okay to use as long as you have an internal CA that is actually distributing those keys or certificates. So you can use them, but they still have to be managed from a certificate authority level inside your organization.
Gotcha. And this is all good. I mean, you have companies that are mature, been doing this all along, either manually or they’re using various platforms for organizing matching keys. So this just kind of gets everybody else up to where they ought to be. Sure. Right. And they’re also saying that we’re going to have to confirm all the certificates being used are valid and not expired or revoked. And when you think about it, if it’s one thing, there’s probably not a whole lot of people who are using all these different certificates to send credit card data everywhere, but maybe internal to your network, you may have quite a few that you’re using. Sure. So you really need to look at all of that. And they also said, one of the things the forensic investigators said that I thought was interesting is insider threats are increasing and they are hitting people at higher levels in the organization. So it’s kind of interesting that, you know, we really need to be careful even about our executive management. Actually, that’s one of the groups that I’ll specifically tell folks to go in and target because it’s amazing how many of them have, you know, have extreme access within the organization just because of their position. And yet, you know, in many cases, I don’t know, we’ll call them less, less adept at you know kind of being able to thwart and, and handle those threats so you know certainly make them a juicy target. That’s true and requirement five anti-malware they’re not calling it anti-virus anymore they’re saying anti-malware and if you’re using AV that’s really not sufficient anymore you really need to be doing anti-malware they are saying that next gen and behavior-based anti-malware is officially acceptable but here we go you have to perform a targeted risk analysis to determine the frequency of periodic evaluations. As I mentioned earlier of system components identified as not at risk for malware and I know a lot of people still consider Linux and Macs as not needing AV.
Steve do you have an opinion on that? Well generally speaking it applies to the extent that it is applicable and I would agree you know ten years ago maybe it would not necessarily have applied to Macbooks and whatnot, the Mac OS. But I’d say in these days and times, partially because of the popularity of these devices, but also because, let’s face it, anybody who’s out there trying to get their hands on information is going to get as creative as they can. And they are going to work with popular operating systems. So I’d say in these days and times that the needle’s probably turned towards. Yeah. You probably ought to have some degree of protection on your MacBook. Linux, I think, mileage will vary depending on how the system has been configured because you can really batten down some Linux systems to harden them to where, you know, anti-malware is not going to buy you much. But again, it’s going to kind of depend on what degree you’ve hardened the box. Agreed. So again, you know, the targeted risk analysis is going to have to really back up your opinion on that. And you’re going to have to provide that to your assessor and be able to show that you’ve done your due diligence on that such that they can see it in your documentation. The key thing there, what you just said, right, is that it’s not the assessor’s job to do this part of the legwork. Certainly, you know, assessor wearing the advisory hat can provide advice to help you, but it’s incumbent on the entity that’s being assessed to provide this to the assessor so they can show that, hey, yeah, we’ve done our legwork.
Sure. Exactly correct. And another thing that they’ve said is that you have to have processes, and here we go again, automated mechanisms in place to protect against phishing attacks. I think many people now have things in email to do phishing, you know, looking for those emails, etc, but it’s now a requirement to have the automated mechanism to do this. Yeah, I’m guessing Microsoft is going to be like, loving that requirement? Oh, you know they will, right? Another one, a targeted risk analysis is performed to determine frequency of periodic malware scans. So because the standard says you have to be doing malware scans periodically, you now have to determine is that once a week? Is that twice a week? Is that, you know, so you have you have to look at that too. It’s some interesting discussions that come out of that. I’ve had these time and time again with clients, but wait, I’m running this thing in real time. Why do I have to scan what’s on my disc? Luckily, luckily, now it’ll be up to them. But I can venture to guess there will be some folks out there say, well, I don’t ever have to scan my disc because I’m running, I’m running it in active memory. So there’ll be some good dialogues coming around this one. No doubt. I agree. One of the things that us QSAs continue to talk about on these targeted risk analyses is, are we supposed to just accept them because it went through their internal risk assessment procedure?
And, you know, some of them would be very hard, you know, if a client said, we don’t have to do point of interaction device inspections, but once every year or two years. Wow, what do you say to that? And they’re supposed to be able to back it up with, you know, the evidence of why they believe it’s good. But I think that that’s another one that’s going to put us QSAs in kind of a tricky position.
Sure. They also say for anti-malware scans, they have to be performed when removable electronic media is in use. So if you put a USB drive in, it’s going to have to have a malware scan performed before you can use it. Gotcha. Well, that’ll probably spur a lot more organizations to take their kind of local device hardening and dialing off USBs as a, you know, just a de facto standard is probably going to dial up a notch or five. Exactly. That’s true. And that’s really been a big trend anyway. I mean, how often, you know, five, 10 years ago, yeah, I carried a couple of USB sticks and, you know, my backpack now. I don’t have one. I don’t ever have a need to use it. My guess is that’s become more and more prevalent. Of course, there’s other ways to leak data out. This is just one avenue that luckily we’re shutting down, but there’ll be plenty of other things that we’ll need to look at to make sure that, you know, not only are you protecting bad, you know, your system from bad things coming in, but you’re also protecting them from good things going out.
That’s right. On requirement six, it’s also a very significant change.
I want to talk about the forensics investigators real quick. One of the things that they told us is that 50 percent five zero percent of the data breaches that they have investigated are caused or contributed to by requirement six. So they had this session and they were going to talk about it. We were all very excited. Oh, we’re going to hear about all these new hacks and all this exciting, deep dark world stuff. And we went in and you know what they said, you got to patch your devices. That’s still what’s causing the issues. Really? This is 2020. We’re still not patching. And that is one of the most common ways. And there is one other way, making sure admin pages aren’t exposed. There are a lot of admin pages exposed. And I watched a guy just this week at a conference to show how easy it is to hack an environment with admin pages exposed. So that’s different on requirement six. Yeah, one of the, I was gonna say, Sherri, one of the things that I mean, I’ve been pressing people, you know, on for years is just, you know, is basically, you know, they have, we have those requirements under 321 for, you know, making sure you had sources for all of your vulnerability information, you know, and then, you know, that you’re actually applying the patches, I would encourage folks to, you know, to basically take their, their inventory in its entirety, hardware, software, and map that up against their sources of patching and patch availability notifications come kind of coming inbound that would drive the, you know, the patching process, and then turn that around to validating that they’re actually applying it under, you know, kind of under 62 under 321. And that tended to get it buttoned up, you know, fairly well, but obviously, there’s a lot of organizations that are still struggling with this. There really are, there’s some people who think they only have to patch twice a year. Wow, I don’t know what world you live in, but the world I live in, there’s some really good hackers out there. But kind of speaking to what you just mentioned, they are now going to have to maintain an inventory of bespoke and custom software that they’re using for vulnerability and patch management. So if they have API’s and things as part of their software development practices, they’re going to have to have an inventory of all that they’re going to have to prove their patching, what level of Java are you on? What level of this or that? And are you patching it? That’s gonna be a challenge. Yeah, that yeah, that actually that’s gonna that’s gonna open up an entire an entire can of worms because it’s funny how few people will think in that manner, you know, that’s true.
You know, also think about the developers that have now moved on, do people even know what’s a part of their software anymore? I mean, I remember the day where one of the developers created some software that was awesome, but we could only use it on his workstation because there was something that he did and specific to his workstation that made it work that wouldn’t work anywhere else. So do they even know what it’s gonna be? So that, I think is gonna be a difficult one. And then you also have to hear again as another automated and I believe we spoke on this earlier. You’re gonna have to have an automated technical solution for public facing web applications and it’s got to continually detect and prevent your web-based attacks. So you are required now to have a web application firewall versus being able to do that or a code review. So that one can be a big one for some people because they’re gonna have to get in the budget. They’re gonna have to pick a product. They’re gonna have to implement it, understand how to use it, get it honed in for getting all the right alerts and so that’s gonna be a big deal for some people too.
Yeah, I know Sherri, with those WAFs, you know, atypically, right, you know, go fire it up, you’re in training mode, you know, leave it in that arena for a while, and then you flip to, you know, kind of into alerting and blocking mode. One question, and just a clarity point, you know, with those WAFs, you know, you’ve got the training mode, you’ve got alerting mode, then you have blocking mode. You know, this specifically is calling out ProVents, web-based attacks. Is it, do you know, have they specified thou shalt dial your WAF on in blocking mode, or, you know, is there some, you know, you know, wiggle room there if the organization is doing, you know, a combination of alerting and blocking, then that’s okay, or they’re just in alerting mode? You know, that’s a great question, and I haven’t seen anything on alerting, blocking, etc. They’re just basically stating you have to have the technical solution for that being a WAF. Gotcha, gotcha. Well, we’ll see how it all unfolds. Right, and another thing that’s not easy, and we’re having a lot of conversations about this one. There are people who believe this can’t be done. You have to manage your payment page scripts that are loaded and executed, not internally, but on your consumer’s browser. So how do you know that the script that they’re actually using in their consumer browser at Granny’s house at two in the morning is actually the right payment page that they’re supposed to be getting, and no man in the middle has come in and changed out the payment page. That will be interesting. It’s almost like there needs to be some sort of hand shaking going on to make sure that the version of what’s on the browser is what you’re expecting on your web server, right? Exactly, and there are some products out there that can help with this, but again, there’s a lot of people shaking their heads saying, how in the world are we going to control anything on the consumer’s browser so that’s kind of an interesting one plus it opens up a can of worms right does anybody really want to be controlling anything on somebody else’s machine doesn’t that make everybody a service provider to them what are you saying Steve? it’s gonna be dark before it gets a little more light and the other thing that they have is they want you to have more relevant and comprehensive development security so for your developers if they’re coding in a certain language it’s no longer go take go watch training it’s you have to have training in the language in which they’re developing so imagine the poor mainframe guys Oh, yeah, and then well, it’s hard. Yeah, it’s hard enough to find the mainframe guys these days You know what? I mean? It’s like, you know We’re struggling to fulfill the positions for the mainframe guys, let alone go pull somebody off the stack to go do training, you know seriously, man, I, I grew I, I cut my teeth on 400s back in the day and Yeah, that was, it was it was a rough 20 something years ago getting people for you know for doing that work So yeah, that’s gonna get a real entertaining Vector where this is gonna the other vector where this is gonna get real crazy real quickly if you know some of these bots and AI the fact that you could slap together a web page with Jack, you know chat GPT and he gets up and up and running in no time flat and you’re not even a developer, sure, it’ll be functional. But do we have any idea whatsoever to what degree it’s secure? You know, it’s, it’s gonna create this whole other avenue of weirdness in a good way maybe but again, it’ll get dark before gets light. Yeah.
Oh, come on chat GPT is gonna take care of all of it for actually, actually to that end share you Todd and I just did a just did a podcast on AI so if you haven’t you haven’t heard that one yet, you can go take a listen to that one. Please definitely go do that.
So requirement seven also has significant change so they are saying that all user accounts and related access privileges have to be reviewed every six months including third-party vendor accounts and they have to be acknowledged by management so some people are doing this very well, but if you’re not doing that and you’re not including all those third-party vendor accounts and doing it every six months, that’s gonna be you’re gonna have to put a process together and there also saying that you have to assign and manage all application and system accounts and related access privileges based on least privilege. Access has to be limited to systems applications or processes that specifically require their use. This is what we alluded to before. We’re getting more granular here. This is all good stuff and things we’ve been preaching forever. And a lot of folks would just nod their heads and then go on to their busy days. Now it’s a requirement and it’s good. I mean, I think this has been a long time coming. And again, it’ll be a lot of work for those who have that technical debt, but it’s the right thing. It really is.
And then all access, this is interesting. All access that has been by application and system accounts and related access privileges have to be reviewed periodically based on your targeted risk assessment. and you have to address any inappropriate access and have it acknowledged by management. So you’re not just looking, should this person have an account, you’re looking at what have they, what have they done? What access privileges do they have? Have they been in the wrong stuff? So that’s kind of an interesting one. Yeah, no doubt. And I think it’s gonna, yeah, I think for some organizations, I love the way you put that Steve with the, you know, those that still have the technical debt, because I know there’s a lot of organizations that are, you know, have kind of been doing this philosophically, probably there’s some, some, some things in here that’ll make for changes for some organizations. But I think this could be, this could be an arena that will be an eye opener for some of the organizations. That’s true.
And then when we go into requirement eight, it’s also significant change. These two have always been so related to one another. They’re actually changing the minimum length of the passwords to 12 characters now, unless your systems, yeah, unless your systems can’t handle 12, and then they have to be a minimum of eight. And they’re saying that if you do this, you can actually do, guess what, a targeted risk analysis to determine how often you need to, to change those passwords if you’re using a more complex password than what’s required. As long as the paper lasts on the bottom of your computer, it’s not going to work. And then when we go to the next slide, we’ll go to the next slide, which is, you know the card holder data environment, once you’re in the environment, you know, we’ve always had that requirement 615 or however that if you’re not at the management console doing change, you had to two factor to the console or to the system, you don’t have to use two factor again once you’re in, but you have to potentially use it one to get on the network and then one to get in the CDE. And if I’m a finance person and I’m getting them to do some work, I have to have that two factor. So it’s not just administrators anymore. And the MFA cannot be susceptible to replay attacks. And there is no bypass. We used to have a bypass group because, you know, two o’clock in the morning and the firewall goes down, you gotta be up and working on it. So they’re saying that admins can do this if it’s documented, authorized, and for a specific limited time. And then that access has to be removed after that specified time. So I think that’s gonna cause some challenges for some. Yeah, yeah, for some, yes. Yes, others just be okay. Then you also have to strictly control and track any interactive use of shared application and service accounts, which is kind of cool on one hand because that means that as opposed to saying you cannot use shared accounts, sometimes you have to, if you, you know, for break glass, right? If you have your server go down or your domain controller go down, how are you gonna get into that system? So there are needs where you need to have a shared account but they’re saying you have to strictly control it and track it.
Passwords and passphrases for interactive application and system accounts cannot be, now this is fun, they can’t be hard coded in scripts, configure property files or source code. So let’s look at that one for a minute. Who in the organization knows whether or not you have some of this hard coded? Is the application developers still there? Do they know? But let’s take it a step further. How in the world is a QSA supposed to figure out if they have passwords and passphrases hard coded in scripts, config property files or source code? Does that mean they now need to produce source code? So that was an interesting one. Yeah, that’s gonna get, that’s going to get real entertaining. So they’re saying, they’re saying what you can’t do. You can’t have it hard coded into the scripts and config property files or source code. What are they approving for? How are they seeking it to be? Oh, they don’t tell you that. Oh, very good. Okay, awesome.
Yeah, you know this. All right, very good. Moving on. They’re also saying that we use passwords and passphrases and if that’s the only authentication factor for customer user access, then you have to change the passwords and passphrases at least every 90 days or the security posture of accounts is dynamically. to determine real-time access to resources. So that’s gonna be interesting as well. Cause did you hear me say authentication factor for customer user access? That’s gonna be fun. Yeah, for sure. But we have some good news on requirement nine.
Yay. Yes, on requirement nine, first off it’s not a significant change and two, they’ve actually streamlined it with better groupings. So we’re not gonna be required to ask the same questions over and over and over. Oh, yes. So it’s gonna be easier for everyone. And as far as POI devices, or interaction devices, you’re going to have to do a targeted risk assessment to determine how frequently they actually need to be done. One thing the forensics investigators pointed out is that ransomware is actually more common now than the exploitation of POI devices, because they want to be able to get them the biggest bang for the buck and be able to monetize what they’re stealing quicker than later. So that one is, I thought that was kind of an interesting statement.
And requirement 10 is also really great news for most. So if you aren’t using automated security log reviews, which I’ve seen people who still aren’t, they’re going to have to buy some tool that enables automated monitoring of security logs. So again, budget hit people to understand the technologies, implemented, etc. Which of the big box central centralized logging and SIM providers lobbied for this one? Ah, yeah. But you know, I can totally get it because first off, who likes to review logs? Oh, yeah, yeah. Yeah, agreed. Yeah. So it’s really a good thing, but it’s going to cause some grief for some people. Oh, yeah, for sure. You also have to, you have to do monitoring for responding to and correcting control failures. And it used to be just service providers, but it’s now going to be applied to everyone after March 31st. I don’t know. It just makes a lot of pure, pure logical sense, right? It really does. But there is goodness in this. I mean, you think about it, a lot of people just, they’re not that good at monitoring. And, and there’s a lot of folks who haven’t tuned their, their logging mechanisms as well as they could be, or, or even forget to you know, monitor some of the things they’re supposed to monitor. So or, you know, let’s look at some of the breaches that have happened in the past, you know, the famous one, right, the target breach, the alarms were just lighting up the boards. But because of the fact that, you know, there’s some wasn’t maybe necessarily as tuned as it could have been, people just thought it was noise. I think this is kind of critical. And it’s stuff that people should be doing all along. Of course, it’s really easy to say that from my armchair here, it’s harder in practice, but, but it’s stuff that we should all be doing better. That’s right. And now that we’ve gone through the good news, all the good news is now done.
This one is one that is very serious. So first off, you have to implement authenticated internal vulnerability scanning. And I think I mentioned earlier, we have run scans on the exact same environment using authenticated and unauthenticated scans. In unauthenticated scanning, the same environment that produced eight vulnerabilities produces 391 vulnerabilities if you’re using an authenticated scan. Where you use a potential vulnerability of one, you now have potential vulnerabilities of seven and it gathers 180 information points versus 45 on the exact same environment. But also what’s even more compelling now is that the detailed results used to be the vulnerabilities were 11 a level three or two, but with authenticated scanning all of those vulnerabilities that were three or twos are now fives. So that’s going to be a lot of work that people are going to have to get on sooner than later.
Sure. So also, this is another fun one that people are going to absolutely love. For your internal scans, you have to correct all vulnerabilities, including medium and low severity. You used to just have to worry about high risk for those. And that’s going to be as of March 2025. And the frequency of you remediating low and medium will be based on yes, targeted risk assessment. Well, honestly, I think I think that’s a good move. I think there’s too much stuff that’s just been left sitting there and opportunities for people to, you know, gang up on the medium and low level vulnerabilities when something else new is out there to take advantage of it. So I think it’d be a better thing in the grand scheme of things. A lot of times people can take advantage of a whole bunch of low and mediums and find their way in. So this will force people not just to sweep it under the carpet.
Yep. That’s right. And another thing that I have found, I’ve heard this already is some people believe that the, the informational alerts gathered are also required to be remediated now. I don’t agree I don’t think the standard says that but the reason I bring it up is because I bet many QSAS or some QSAS will require their clients to also do information alerts. I think You know what’s interesting though guys is that is that I’ve seen some of the some of the scan providers It is very interesting what happens when you start getting into those informationals. As an example, some of the items that pop up as informationals are the host couldn’t be, I couldn’t connect to the host or I didn’t see any ports open on the host. Now at its face value, okay, that’s great, it’s informational, but in effect, the scan’s coming back and saying, I can’t, I can’t even evaluate this thing because I’m not able to reach it, right? So I don’t know, I think they’re gonna need to, they’re gonna need to look at those. What’s interesting about that comment though now, Adam, is that that should never happen because these have to be authenticated scans, right? I can see they’re unauthenticated. Sorry, I can’t see anything. If they’re authenticated, if somebody sees that, it’ll be kind of interesting to see what the path is. But hearing what you said though, I do think that from vendors, scan vendors, scan vendor/platform, that there will be some more feedback coming from the PCI world and say, you probably wanna fine tune this or just that because it’s making us go down these rabbit holes that don’t even exist. It’ll get interesting. Yeah, real big time.
Yeah, and another thing, we talked about the payment page on the client side. You’re gonna have to have integrity checking on the client side payment page. Gotcha. That’s gonna be fun. And I think I wanna point out for SACAs, for anyone doing a self-assessment questionnaire A, they’re now going to have to do ASV scans, which is something they haven’t had to do in the past. So that’s gonna be, yes, new for them and also more expense. There’s gonna be some outcry there, I’m sure. Yes, multi-tenant service providers have to support their customers doing external penetration testing. And covert malware communication channels have to be detected, alerted and or prevent… address via IPS and IPS techniques. So that’ll be interesting too. Yeah, no doubt. So we’re having so much fun with this, right?
Let’s go to requirement 12. I hate to even address this one. So this one is a lot of stuff. So first off, they have removed enterprise wide risk assessment and replaced it with performing targeted risk assessments for any control frequencies where they haven’t said what the periodicity for testing is. That’s the thing like the scans for AV and the password changes, etc. And you also have to do one of these for every customized approach. But let’s get into some of the more difficult ones. Cryptographic cipher suites and protocols in use have to be documented and reviewed. They have to include the purpose, where they’re used, you have to actively monitor the continued viability of the cryptographic cipher suites and protocols used, and you have to have a documented strategy to respond to anticipated changes in the cryptographic vulnerabilities. I think that’s going to be a lot of fun for people. Yeah, that’s going to turn into a small cottage industry, I’m sure. Yes, and then your hardware and software in use has to be reviewed at least once annually, and you have to make sure that they continue to receive security fixes from vendors promptly.
So what’s going to happen is if you’re end of life, you’re now going to have to put this on the list, and you’re going to have to put in a plan for how you’re going to get rid of that technology. And it’s going to be kind of interesting because people have really ignored, in a lot of places, hardware and software that’s end of life. We’re continually finding clients that haven’t updated or moved off the technologies, and it’s something that now is a requirement. Also, you have to document the industry announcements or trends, such as end of life. And you have to have the documented plan approved by senior management to remediate those outdated technologies. So that’ll be fun.
And now let’s talk about scope for a minute. Scope for clients has been a real challenge. You know, we go in there and sometimes it’s almost the end of the assessment where we’ve truly redefined the scope and found things that should be in scope that aren’t. What they want now is the council wants organizations to do the scoping, not your QSAs. So a service provider is going to have to document and confirm their scope once every six months and upon significant change, as the council has defined significant change. For merchants… So to go along that too, to go along with scoping, I would say that is the bane of our collective existence in PCI world for both assessed entities and QSAs alike. It always takes a lot of time to understand the scope, both sides of the fence. Obviously, it’ll make QSAs lives easier when we’re working with a client who has a well defined scope. But it’s a lot of work. I mean, obviously, it’s the kind of thing where consultative QSA companies like us, we’re happy to work with our clients to help them determine that. Because it’s always kind of like, what about the gray? It’s easy to know, hey, this stores processes and transmits cardholder data. It’s in scope. It’s everything else that is always part of the game show, right? Is it or is it not in scope? I think by placing more attention on this, it’ll make all of our lives a little better and it’ll also allow for us to better protect our environments knowing what’s, what’s important what’s not agreed.
And one of the things also that they want us to do and by the way merchants have to do this once a year and after significant change I want to make sure I put that out there that merchants also have to do this but um another challenge with this is they want the QSAS to say the client gave us this scope and we went in and determined this this is the scope and we have to outline the differences between what they have said is the scope and what we have found as to be really the scope so , I hear dogs barking in the background they’re complaining about scope those are those are my motion alerts are in full effect we’re actually we’re, we’re gearing in on like feeding time so yeah this is just going to be a thing well you know it’s to have a perimeter firewall so they’re also saying that security awareness training has to include fishing and related attacks and social engineering and acceptable use of end user technologies I think a lot of that is done but some of it is not so that’ll be interesting. No doubt and you have to have again a targeted risk analysis to determine how frequently you need to provide training for your incident response personnel and the your incident response plan has to include monitoring and responding to alerts from change and tamper detection mechanisms for payment pages so here we go back to those payment pages you’re going to have to make sure that they are monitored you’re responding to it you know and really keeping an eye on those also. You have to have specific incident response plans if you were to discover pan outside of the CDE you have to have an IRP in place for that because think about it, was it backed up to a to a disk somewhere, where else did it go? How do you know you’ve really killed it and you’ve destroyed all of it? So that’s got to be a part of it.
And this is a good one, I like it. The impact of significant organizational changes on PCI DSS scope must be documented and reviewed and results communicated to executive management. So let’s say that we changed up our networking department and we now say these network engineers all report to this guy and this new manager is going to get all of these guys. Well, if vulnerability scanning has to be done quarterly and that new manager doesn’t know that they are required to do this and they stop, you know, they start piling work on them and saying they don’t want them to do the vulnerability scans. This is supposed to prevent organizational change from saying, oh, we didn’t know we needed to do this. That’s about that one. Well, that’d be good. I agree. And then the other one, any third party service provider that supports, is gonna have to support a customer’s request to provide compliance status. Some people don’t believe they need to give you their AOCs. And so this is actually putting a requirement in place. So that’s really it in a nutshell, no big deal, right? Whoo, all right. Well, we’ve been clearing through tons of information and data, let’s see if we can clear out the appendices and keep it moving.
Yes, so I will say there is one change to one of the appendices, multi-tenant systems. It used to be shared hosting providers. And now they’re saying that multi-tenant, this Appendix A applies to all cloud hosting, payment, and other service providers. So if you have multi-tenant, you’re gonna have to do this now. And it used to be the AWSs of the world didn’t have to do it. So that’s another big change for them. And multi-tenant service providers have to confirm the effectiveness of logical separation of controls used to separate those environments at least once every six months via a penetration test. And other than that, that’s really it. A2 Appendix is still the same, A3 is still the same. And I would just say, make sure you understand your Deltas. Determine what you’re gonna have to buy that has to get in the budget. Look if you’re gonna need more people, even if you need some part time just to help you through the heavy lift. And work with your QSA to develop a roadmap. Very important for you to work with your QSAs. Head your timeline well ahead of the formal V40 timeline. And have your QSAs review these controls as they’re doing these assessments now so they can point out things to you that you need to be doing sooner than later.
Yeah, that’s a great idea Sherri, because it’s- it’s going to be I think there’s going to be some organizations that are really going to struggle with you know heading over to the to the four arena and yeah I’d echo that sentiment of don’t wait till the last minute um you’re going to need some time to you know to go in and do the analysis I really I like the, the notion of getting the assistance of the you know of the of the QSA that you’ve got or you know whatever whoever is, is helping you with directional guidance and, and all that fun stuff you know it’d be a heck of a lot better to you know to get into that arena right out of the gate. Absolutely, so those are my last words of wisdom to you, start now, start now, start now.
Excellent news any uh any parting shots and thoughts for the folks this week? Well, um, you know, certainly, uh, actually, you know what, I’ll pass it to, I’ll pass it to Sherri and Steve and then, uh, and then I’ll wrap it up. So Sherri, any, any last parting, ,parting thoughts or shots from your side? I will again say start now, start now, start now. That’s the recording that’s in my head. Start now. Very good. It is a journey, right? It’s not going to just all happen overnight. So, uh, start now, you know, be, uh, don’t be afraid to collaborate with others, be it your QSA or your trusted advisor. Heck, even with other people in the industry that are feeling some of the, you know, the same pain points, um, uh, cause we’re all figuring this out as we go along. You know, it’s the standard is what it is, but how we now do the things we do to address it, that’s going to be the heart.
Very good. All right, guys. Well, thank you very, very much for, uh, for joining us. We really appreciate all of your time. Uh, both Steve and Sherri from Online Business Systems, and you’re really sharing with the listeners so much as great feedback on the, you know, on PCI version four. Um, this, I believe has been, uh, certainly from my perspective, it has been a great conversation. Uh, and we really appreciate it. We appreciate you asking us to speak with you. Thank you very much for having us. Thanks for the great opportunity.
Absolutely. That right there, that’s the good stuff. Well, that’s all the time we have for this episode of compliance unfiltered. I’m Todd Coshow and I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
