PCI DSS 3.0 and Encryption

Version 3.0 of PCI DSS (Payment Card Industry Data Security Standard) was released in November 2013 and now that version 2.0 became inactive at the end of last year all organizations should have made the transition to version 3.0.

The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).

Recently I had another look at version 3.0 and have a few observations:

Overall Version 3.0 is an improvement on previous versions because it includes more security intent rather than just prescriptive rules, which encourages a more holistic view. This is important because the intent of merchants should be to improve the security around customers’ data (and their own), not simply to achieve PCI compliance. Compliance does not necessarily mean data security, but a focus on security in terms of risk, confidentiality, integrity and availability is likely to cover a lot of compliance. A security-led approach is better than a “check list” compliance approach. This applies not only to the payment card industry but to all sectors including government, health, education, etc.

With regards to encryption I see some improvement too. In Section 3.4.1 it says:

3.4.1 If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials). Decryption keys must not be associated with user accounts.

In the past, merchants may have thought they could use a product that performed disk encryption but was configured to automatically unlock the drive and boot directly to the OS login screen. I think section 3.4.1 makes it clear that one cannot skip pre-boot authentication or any authentication until the machine had been automatically unlocked, and then rely solely on the operating system for authentication. With previous versions of the standard the merchant who had encryption could achieve compliance, but if that encryption relied on the operating system for authentication, it was not really secure because encryption without proper authentication does not guarantee confidentiality.

 

PCI DSS version 3.0 is a step forward and I hope future versions will continue to migrate towards an emphasis on principles and intent to achieve true security not just compliance.

Previous Post
Dangers of Public Wi-Fi
Next Post
Kill Switch the Game Changer

Related Posts

Windows 8 is here! Now what?

As someone that’s worked in IT for the better part of 14 years, I’ve seen my fair share of product launches. When it comes to operating systems, it’s always a cyclical engine; big flurry of attention at launch followed by…

“Extracting BitLocker keys from a TPM”

(Pre-Boot Authentication: Wisdom in Security – Part 3) In my September 2018 blog “Pre-Boot Authentication. Wisdom in Security Part 2”  I concluded that: “Bottom Line: ‘No PBA’ is not a wise choice for enterprises Microsoft’s reasoning that you don’t need…

Waging the War on Passwords

We have seen large password hacks recently including: LinkedIn, eHarmony, and Yahoo. Hacks so large some in the industry call this the Password Wars. Unfortunately for the general public—we are losing. However, before the trumpets play, let’s give them a…
Read more
5-Myths-About-Data-Encryption-and-Decryption-That-Leave-You-Exposed

5 Myths About Data Encryption and Decryption

What do you know about data encryption and decryption? Whatever it is, it might not be fully right. There are myths circulating about this topic, myths which can actually hurt your business. We’ve identified five of them, and explain why they’re…

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

Menu