In our previous post, we highlighted recommendations for preparing for the 30 June 2018 PCI Data Security Standard (PCI DSS) deadline for disabling SSL/early TLS protocols to safeguard payment data. Here PCI SSC Senior Director of Certification Programs Gill Woodcock discusses getting ready for 1 February 2018, the effective date for all new requirements introduced in PCI DSS version 3.2.
There is always a balance to strike between security threats and operational reality. We all know that new security vulnerabilities and exploits appear with ever increasing frequency but that it takes time, budget and effort to deploy patches, fixes and sometimes entirely new security infrastructure. When new PCI DSS controls are needed to address the evolving threat landscape there are always challenging discussions to ensure those controls are introduced promptly enough to mitigate the risk while allowing sufficient time for organizations to implement controls and meet their compliance obligations.
In PCI DSS 3.2 you’ll find several requirements with a note saying “This requirement is a best practice until 31 January 2018, after which it becomes a requirement”. From a security viewpoint, best practice is what is needed to address the threat. All organizations should consider implementing these best practices into their environment as soon as possible, even if they are not required to validate to them.
The requirement date of 31 January 2018 recognizes that changes take time and gives an opportunity for organizations to prepare before needing to validate and, possibly report on compliance for these additional controls. Introducing new controls may well need budget discussions, integration and coordination with other change projects which all takes time.
Don’t wait until your 2018 compliance assessment is on the horizon - if you haven’t starting planning for these controls then start now!
Another example of the security vs. operational balance is seen in the migration away from SSL/early TLS to more secure cryptographic protocols. The deadline for this is 30 June 2018. Although the vulnerabilities in SSL/early TLS were recognized a few years ago many organizations have needed a considerable time period to make the necessary changes, especially if their environments are extensive and contain old, legacy IT equipment. Hopefully everyone has now either finished their migration or is working through their Risk Mitigation and Migration Plan. From a security perspective, the earlier an organization completes their migration, the less they leave themselves exposed to attacks. Don’t wait for compliance dates to come along before starting work.
Keeping up with dates can be difficult. The PCI SSC website has lots of additional information, providing guidance as well as the standards themselves. I’d particularly like to point out the Guidance for PCI DSS Scoping and Segmentation, the Multi-Factor Authentication Guidance and the Bulletin on Migrating from SSL and Early TLS. These are all good sources to help with planning changes and mitigating risk. The PCI Perspectives Blog is another great way to keep up-to-date. It is frequently updated and contains short interviews and comments on what is coming along. At PCI SSC we will do all we can to help you through so if you have any feedback for us please don’t hesitate to get in touch.