Tuesday, June 17, 2008

Chase Paymentech Issues PCI DSS Alerts

According to an announcement from Chase Paymentech, merchants need to know about significant changes to the Payment Card Industry Data Security Standard (PCI DSS) required network scans. Effective July 1, 2008, the PCI Security Standards Council (PCI SSC) is requiring Approved Scanning Vendors to change from version 1 to version 2 of the Common Vulnerability Scoring System (CVSS). This change impacts all Approved Scanning Vendors (ASVs) and the scans they perform for their customers.

This change impacts the way certain vulnerabilities are scored. Some vulnerabilities that were deemed less significant under version 1 will receive heighten scoring in version 2. Such vulnerabilities may now result in a failing PCI network scan score. This will result in a merchant being non-compliant with the PCI DSS until the vulnerability can be addressed.

Merchants are strongly encouraged to contact their ASV and discuss the impact of these changes. Many ASVs are allowing merchants to perform “preview scans”. Preview scans allow the merchant to scan their environment using the new CVSS v2 scans before the July 1, 2008 effective date. This provides merchants with an opportunity to assess the impact of CVSS v2 prior to performing their next required scan.

Chase Paymentech urges merchants to immediately undertake preview scans of their environment. Trustwave is already offering preview scans to their customers and Chase Paymentech has arranged with Trustwave to provide preferred pricing to its merchants.

Penetration Testing

In addition, merchants will want to know that the PCI SSC recently provided clarification about penetration testing requirements under PCI DSS Requirement 11.3. The penetration testing required by Section 11.3 is different from the vulnerability assessments required in Section 11.2. Vulnerability assessment simply identifies and notes vulnerabilities. Penetration testing attempts to actively exploit them.

The penetration testing requirement was previously interpreted as an external test only. The PCI SSC has now defined the requirement to include both internal and external testing. It should include application and network layer testing as well as controls and processes around the networks and applications. The scope of the testing is the cardholder data environment and all systems and networks connected to it.

Penetration testing may be performed by a qualified internal or external party. Any resource used must be a trained and experienced penetration tester. Internal staff performing the test must be organizationally separate from the management of the environment being tested. Methodology and results of the test must be documented, and follow-up on identified issues is required. Both Black-box and White-box testing are permitted.

Penetration testing should be performed AT LEAST annually, and any time a significant upgrade or modification occurs (for example systems component upgrades, new network creation, or new server deployments). "Significant" is specific to a given environment, but can be defined as upgrades or modifications that could impact or allow access to cardholder data.

No comments:

Web Analytics