Service Providers: Are you on schedule or have you already failed a PCI DSS requirement?

If you are a PCI DSS service provider, have you implemented your first quarterly review to confirm that personnel are following security policies and operational procedures? If you were not able to complete this review by 30 April 2018 you are, in effect, failing that control and potentially your certification. You will also need at least one compensating control to cover why your review was not implemented along with details of other measures you have implemented to ensure security policies and operational procedures are being followed.

On 31 January 2018, a number of the requirements in the PCI DSS v3.2 become mandatory; there is an expectation from the PCI Security Standards Council (SSC) that since that date you should have the relevant controls in place to meet those requirements. There is an expectation that the controls will be in place from at least the end of January and not left until your certification renewal date.

In practice, if you are either a merchant or a service provider, you should have already implemented the following since 31 January:

  • Following any significant change affecting in scope systems, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable. As an example, if you have implemented new hardware due to the Spectre and related vulnerabilities, have your inventory and build standards been updated?
  • You should have implemented multi-factor authentication (MFA) that meets the requirements of the PCI DSS for all administrative access to the cardholder data environment (CDE) across your own network as well as remote access.

For service providers you should have implemented the following service provider-only controls:

  • A documented description of your cryptographic architecture that details all the algorithms, protocols and keys used to protect the storage of cardholder data that includes details such as the key strength and expiry dates of keys and certificates. It should detail what the keys are used for to ensure the correct strength keys are being applied and you need an inventory of all components used in protecting keys, i.e. secure cryptographic device (SCD) or hardware security module (HSM).
  • An implemented policy, procedure and process to detect and respond to failures in your critical security controls. A list of common critical security controls is provided in the PCI DSS requirement, but the list is not definitive and other security controls such as patching should be considered for monitoring.
  • For those using segmentation of the network, you have until 1 August 2018 to undertake the first of the six-monthly penetration tests of the segmentation controls.
  • Your charter document should have been signed on or before 31 January 2018, unless there is a good reason for not doing so. The charter document establishes a PCI compliance programme with responsibilities for the programme defined. It should also define how executive management is informed of the state of the compliance programme via periodic updates. There is a requirement for a charter document to cover the establishment of accountability and communication to the executive management that is signed by the executive management.
  • Requirement 12.11 requires you to be holding at least quarterly reviews to confirm personnel are following security policies and operational procedures. The first one of these should have been completed by 30 April at the latest.