Podcast: What’s new in PCI-DSS and PA-DSS version 3.0?

Mathieu Gorge, CEO of Vigitrust, talks about the forthcoming changes in PCI-DSS and PA-DSS with version 3.0 of the regulations due out in January 2014

PCI-DSS compliance is necessary for any organisation that handles customer payment card data and specifies how that information must be held and protected.

The PCI Security Standards Council administers those regulations and is all set to issue its regular update of the standards from PCI-DSS 2.0 in early 2014. Alongside PCI-DSS, it will also update PA-DSS, the regulations that govern providers of payment applications.

In this podcast ComputerWeekly.com storage editor Antony Adshead talks with CEO of Vigitrust, Mathieu Gorge, about the forthcoming changes in PCI-DSS and PA-DSS and what it means for storage and backup of cardholder data.


Antony Adshead: What are the key forthcoming changes in PCI-DSS and PA-DSS?

Mathieu Gorge: Firstly, we need to look at the lifecycle of PCI-DSS and PA-DSS. Both standards have a three-year lifecycle and we’re just about to start a new cycle on 1 January 2014.

So, the PCI council is still collecting feedback from all the parties involved in PCI at the community meetings, for example one that took place in Las Vegas in September and the next one at Nice, France, this month.

The effective date of the new standard is 1 January 2014, meaning that existing PCI-DSS and PA-DSS compliance parties will need to be in compliance with the new standards, ie version 3.0, by 15 January.

So, we need to look at the major changes coming up and what’s driving the changes.

According to the council the changes are driven by a lack of education and awareness of the standards, issues with weak passwords and authentication to systems that hold or process credit card data, issues with managing third parties from a security perspective, issues with malware and inconsistency in assessments.

That’s being translated into the suggested changes that will be validated over the next few weeks and put into action from 1 January next year.

So, the major changes are around user awareness, making security business as usual, offering more stability in controls. That’s the official version. In reality PCI-DSS and PA-DSS remain prescriptive compared to other security standards and frameworks such as the ISO 27000 series, for example. However, they are trying to make the controls a bit more flexible.

You’ll also see some emphasis on shared responsibility with regard to protecting cardholder data.

At the end of the day we’re trying to protect cardholder data, whether it’s being stored, used or transmitted from one entity to another. You see, for example, in the new version of PCI-DSS an emphasis on managing third parties, especially cloud providers.

And with regard to PA-DSS, which is the payment application security standard for vendors that provide applications that are used by payment service providers and merchants and banks, there is emphasis on training integrators so the responsibilities [are shared] between merchants using those applications, vendors providing the application and integrators that put the application into action within the credit cardholder data lifecycle.  

Adshead: What implications for data storage and backup will result from these?

Gorge: There are going to be a number of changes that are either directly linked to data storage or backup or somewhat indirectly linked to managing data from a storage perspective.

The best thing to do is download the PCI-DSS and PA-DSS version 3.0 change highlights that are available from the PCI standards website.

But, in a nutshell, it starts with a major change in requirements which focuses on having a current diagram that shows all the data flow.

I’ve been talking about ecosystems, which are essentially diagrams that show the different lines of business and how the data flows between them and potentially cloud providers and third parties.

This year the [PCI] council has included a requirement to hold a current diagram that shows the actual data flow. So that means that to have that diagram you’re going to need to go through a data classification exercise which means you need to know where the data is coming, what type of data it is, does it fall under PCI, does it potentially fall under any European data protection regulation or US state PII [personally identifiable information], for example.

So, the idea was to clarify the fact that documented cardholder data flow is an important component of protecting that data.

Another requirement that deals directly with storage of cardholder data is requirement 3. Now, some of the changes in this requirement focus around secure storage of cryptographic keys. As you know, requirement 3.4 tells you what data you can store and how you should protect that data if you are allowed to store it from an encryption perspective. That requirement has been clarified and it’s something that entities need to pay attention to.

There are also some changes with regards to storing authentication data. And again the clarification here is made to ensure there is a better understanding of protection of sensitive authentication data and that if you need to store it, it cannot be stored after authorisation.

Looking at PA-DSS one of the main changes revolves around shared responsibility and training of integrators of payment applications. So, PA-DSS used to have 13 requirements and now it has 14 – the last requirement, number 14, being focussed primarily on training.

And again you’ll find within the changes some specification around authentication to access stored data or data that might be temporarily stored for authentication purposes. You’ll find information around two-factor authentication to access the data and the application.

You’ll also find specific controls that have been updated around encryption. The main objective here is to render passwords unreadable. And again, all this goes back to the change drivers that I spoke around earlier on.

The common theme here between PCI-DSS and PA-DSS is that you need to manage your ecosystem that stores, transits or processes credit cardholder data. And the only way to do that is to use best practice and perform a data classification assessment.

Ensure you know where the data is going, where it is stored, that you have the right level of encryption and authentication for that data and that at no time you end up storing data you’re not allowed to store.

And so the council speaks about making security business as usual and what they mean by that is continuous compliance. That really applies to data storage and backup.

So, I think it’s fair to say that there’s a very strong emphasis on data classification and data storage in this new version and this is a welcome change in PCI-DSS and PA-DSS 3.0.

Read more on Data protection regulations and compliance