PCI SSC Publishes PCI DSS Designated Entities Supplemental Validation for use with PCI DSS v3.1, Version 1.0 (June 2015)

The PCI SSC recently published their Supplemental Validation Requirements for “designated entities”. It formalizes the requirements for on-going, interim control validation for these organizations. Not all entities subject to PCI compliance must perform these activities. Only the Brands (Visa, MasterCard, American Express, Discover, and JCB Intl.) and Acquirers can specify a Merchant as a “designated entity” and the document offers the following as examples for organizations that might be so designated:

  • Entities storing large amounts of cardholder data.
  • Entities providing aggregation points for cardholder data.
  • Entities suffering large-scale and/or recurring breaches resulting in compromise of cardholder data.

These are pretty intuitive as the examples specified are either: lucrative targets given the large volume of cardholder data they handle; or have already experienced a breach resulting in the unauthorized disclosure of cardholder data.

The document includes both new and long-standing requirements (in some cases expanding on the latter), all of which are mapped back to the PCI DSS Requirements:

  • 1 (DE.1.1-DE.1.4) Implement a PCI DSS compliance program.
  • 2 (DE.2.1-DE.2.6) Document and validate PCI DSS scope
  • 3 (DE.3.1-DE.3.3) Validate PCI DSS is incorporated into business-as-usual (BAU) activities.
  • 4 (DE.4.1) Control and manage logical access to the cardholder data environment.
  • 5 (DE.5.1) Identify and respond to suspicious events.

It is worth noting that some of these validation activities may, in some cases, require significant capital investment (e.g. data discovery technologies) and additional services (e.g. penetration testing). The validation steps for communicating PCI compliance status to the Board and Executive Management are also noteworthy and extremely gratifying as a QSA. From my perspective, this (finally) gives PCI compliance equal footing with, and the same visibility as, many statutory compliance requirements.

Temporally speaking, many of the validation steps have specified intervals. The following are some examples:

  • Annually.
    • Board and Executive-level communication detailing PCI-related initiatives.
    • Evidence of security training.
    • Effectiveness review of data discovery methods.
    • Hardware and software review to verify all technologies meet PCI requirements.
  • Semi-Annually.
    • Penetration testing to verify segmentation is effective (or after significant change).
    • User account and privilege review.
  • Quarterly.
    • Scope review and validation (or after significant change).
    • Data discovery (or after significant change).
    • Business as usual activity reviews.

Much like receiving a preliminary assessment for ASV scans, there is allowance for not having completed all validation steps for the whole year if the “designated entity” is being assessed for these efforts for the first time. The assessed organization need only demonstrate compliance for the most recent timeframe for which the activity is specified. After the initial assessment and going forward, however, the “designated entity” must have the full compliment of evidence required to demonstrate compliance.

GuidePoint Security can assist with the new formalized requirements by performing the following:

  • Gap Assessment – Work with “designated entities” to identify gaps in control implementation associated with supporting the SSC’s specified validation steps.
  • Advisory Support – Work hand-in-hand with organizations working to comply with the new requirements by providing advisory and consultative support throughout.
  • Assessment – Perform annual PCI assessments structured to include verification a “designated entity” performed the required validation steps compliantly.

All in all, this is a significant step forward in evolving PCI DSS to require organizations to incorporate PCI DSS requirements into their everyday processes and limiting some entities from considering PCI DSS as an annual “check the box” activity. These new validation requirements are pretty hefty requirements that will put the onus on “designated entities” to embed PCI compliance activities into day-to-day business operations. Ideally, this additional scrutiny, investment, and effort will, for the “designated entity”, foster a culture of security and elevate control activities to “business as usual”.

About GuidePoint Security

GuidePoint Security, LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Reston, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at:www.guidepointsecurity.com.

Time Inc. Highlights GuidePoint Security in the WSJ CIO Journal

Time Inc. (Time) recently mentioned GuidePoint Security (GuidePoint) in an article in the Wall Street Journal CIO Journal. Time leverages GuidePoint’s Amazon Web Services (AWS) and Payment Card Industry (PCI) expertise to guide them through the migration of applications into AWS. Specifically, GuidePoint provides expertise in implementing architectures and control frameworks that not only provide security, but also PCI compliance.

“We appreciate GuidePoint Security’s advice through this process. Their specific working knowledge of security and PCI compliance in AWS has been a great asset to us,” said Keith O’Sullivan, VP – Global Information Security for Time Inc.

Organizations are rapidly increasing their cloud-adoption, however Information Security and compliance considerations present both a challenge and an opportunity while moving to the cloud. Organizations must include Information Security and compliance experts into their project team, or risk jeopardizing their cloud-application’s security and compliance.

GuidePoint provides this expertise through our Cloud Solutions and Compliance practices. We’ve worked with numerous clients developing secure architectures, control frameworks, policies and procedures, and implementing security technologies across IaaS, PaaS, and SaaS platforms enabling our clients to leverage the benefits of the cloud while maintaining or improving their Information Security and compliance posture.

Contact sales@guidepointsecurity.com or visit www.guidepointsecurity.com to learn more about our Cloud Solutions and Compliance practices.

About GuidePoint Security

GuidePoint Security, LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Reston, Va., and with offices in Michigan, New Hampshire, Florida and North Carolina. GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM).

GuidePoint Security & Tenable Host Security Social Hour at the PCI SSC Community Meeting In Orlando

GuidePoint Security and Tenable invite you to their Security Social Hour in Orlando. Come network with the largest global community dedicated to payment security, and discover the PCI compliance solutions that we offer our customers.

 When: Wednesday, September 10, 7-9PM
Where: Big River Grille and Brewing Works, Orlando, FL

Even as PCI security requirements become more stringent, GuidePoint Security offers the solutions and technologies to address them. By combining our security technology partner, Tenable, with our services and experience, we meet and exceed the security and compliance needs of our clients.

Tenable Security offers the following solutions to address today’s PCI requirements:

  • SecurityCenter Continuous View
  • Nessus Enterprise Cloud
  • Nessus Enterprise
  • Nessus
  • Passive Vulnerability Scanner

At GuidePoint Security, we lead security innovation by helping clients recognize threats, understand solutions, and mitigate risks throughout their IT environment We do this by helping each client determine the best solutions for their unique needs.

Don’t miss the Security Social Hour on September 10th with GuidePoint Security and Tenable. There will be plenty of food, cocktails, and great conversation to go around.

To register for the PCI Security Social Hour, visit: http://gpsec.me/1zRB5h6.

For additional information about the PCI Community Meeting in Orlando, also visit: http://gpsec.me/1nPjnFl.

About GuidePoint Security

GuidePoint Security, LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Reston, Va., and with offices in Michigan, New Hampshire, Florida and North Carolina, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

About Tenable Security

Tenable Network Security provides continuous network monitoring to identify vulnerabilities, reduce risk and ensure compliance. Their family of products include SecurityCenter Continuous View™, which provides the most comprehensive and integrated view of network health, and Nessus®, the global standard in detecting and assessing network data. Tenable is relied upon by more than 24,000 organizations, including the entire U.S. Department of Defense and many of the world’s largest companies and governments. For more information, go to: http://www.tenable.com/industries/pci.

 

GuidePoint Security is now a PCI Approved QSA Company

PCI Security Standards CouncilGuidePoint Security is pleased to announce that it is now a Payment Card Industry (PCI) Qualified Security Assessor (QSA). QSA companies are organizations that have been qualified by the PCI Security Standards Council to have their employees assess compliance to the PCI DSS standard. Qualified Security Assessors are employees of these organizations who have been certified by the Council to validate an entity’s adherence to the PCI DSS.

GuidePoint’s QSAs bring a unique blend of consulting, auditing and operational experience with the PCI DSS to our clients. Becoming a Qualified Security Assessor company completes GuidePoint’s PCI DSS service offerings. Read more about these PCI services here.