New PCI Changes: Network Segmentation, One-Way PAN HashingWritten by Walter Conway
When the new version of PCI becomes the law of the card-processing land in October, it will include new rules and clarifications on a wide range of key retail payment complaints. Among the top changes, according to PCI officials, are: a requirement that retailers must perform extensive searches for cardholder data across all their networks and systems; clarification on strong one-way hashing of PANs; a move to a three-year PCI lifecycle; clarification on what constitutes acceptable network segmentation; new wording on what constitutes cardholder data; and the applicability of PCI for card issuers.
And even before the full rollout of PCI 2.0 (or perhaps PCI 1.3, if the Council wants to be ultra wimpy) in October (all Participating Organizations should see details in June), the Council will publish a series of position papers to clear up some other debates. Topics will include end-to-end encryption, tokenization and the Eurocard-MasterCard-Visa (EMV) chip-card standard.
These details came from a variety of sources, primarily two presentations given Tuesday (April 13) and Wednesday (April 14) at the Electronic Transactions Association (ETA) show in Las Vegas.
Officially, the Council’s Technical Working Group is still finalizing all these changes. But the details have been confirmed as being in the new version.
The theme of the PCI revisions seems to be fine-tuning rather than a major upgrade. Retailers can expect 14 changes to PCI DSS, three changes to PA-DSS and one change to the Self-Assessment Questionnaire (SAQ). There will be no dramatic new requirements.
(Related story: The Latest PCI Compliance Stats Disappointing For Level 3s)
Some of the changes are designed to clarify requirements while others will provide additional compliance guidance to both merchants and QSAs. Still others will reflect evolutionary changes to meet new technologies and threats.
Searching For Cardholder Data
One expected change will require merchants to search for cardholder data on all their networks and systems. A big source of data breaches is what has been called the “unknown unknowns.” That is, you can’t protect data if you don’t know you are storing it.
For those of you who may have been worried by my earlier prediction that the Council would require you to use automated data discovery tools, officials made it clear that PCI will only require merchants to implement a formal process or methodology for data discovery.
Finding all the places where you have stored cardholder data can be a challenge. Just because you have searched for it once doesn’t mean data hasn’t leaked out to other systems in the intervening weeks or months. This change is a positive move by the Council, although merchants will have additional work to become compliant.
The focus of the revised requirement is to search the merchant’s entire network and all systems–not just the cardholder data environment–for stored cardholder data. Almost every QSA has worked with a merchant that found it had cardholder data stored in unexpected places (including once on a secretary’s workstation, which was used previously by a developer), and many QSAs have returned to a merchant a year after an assessment to discover new databases where cardholder data has leaked.
Although I still recommend the use of automated data discovery tools, at least I forecasted the Council’s direction correctly. It has taken a step forward by highlighting the problem (you can’t protect data you don’t know you have) and requiring a formal process for data discovery.
One-Way Hashing Of PANs
Another change will be clarification on strong one-way hashing of PANs. Merchants can remove PAN data from PCI scope by either truncation (deleting all but the first six digits and last four digits) or using a secure one-way hash that cannot be reversed.