Drums rolling. As previously announced, the PCI DSS version 3.0 is going to be reviewed and the new release will show up on stage shortly. Experts are ready to get fed with new knowledge to learn how to raise stronger defensive measures against attackers. Companies and merchants are looking forward to those updates that will help them taking the protection of their business to the next level.

pci-dss-3.1

PCI DSS v3.1 will come with a few adjustments to the existing requirements. Let’s take a look at what the PCI SSC (Payment Card Industry Security Standard Council) is preparing in order to monitor the privacy of consumers and keep an eye on data protection related issues.

Some clarifications

First of all, what is a PAN (primary account number)? Thanks to a code of 14 or 16 digits embossed on a debit or credit card and encoded in their magnetic strip, PAN is able to identify both the issuer of a card and the related bank account. It also includes a check digit that works as a validation device.

In order to understand the changes that PCI DSS 3.1 is going to bring, keep in mind that “PAN truncation” refers to a security measure based on removing the middle digits and meant to help protecting payment cards. PAN truncation is a mechanism used by POS (point-of-sale terminals) and in many countries it is a mandatory cyber security measure.

Changes to PCI DSS Requirement 3.4

The requirement 3.4 from version 3.0 currently states the following:

Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches:

  • One-way hashes based on strong cryptography (hash must be of the entire PAN)
  • Truncation (hashing cannot be used to replace the truncated segment of PAN)
  • Index tokens and pads (pads must be securely stored)
  • Strong cryptography with associated key-management processes and procedures.

The requirement comes with an additional note that highlights how special measures should be raised when “hashed and truncated versions of the same PAN are present in an entity’s environment”.

pci-dss-3.0-requirement-3.4

The requirement will be reinforced with the upcoming version 3.1. The note to requirement 3.4 will be integrated as a new sub-requirement. That will be called 3.4.e and will look like as follows:

"If hashed and truncated versions of the same PAN are present in the environment, examine implemented controls to verify that the hashed and truncated versions cannot be correlated to reconstruct the original PAN.”

The new sub-requirement 3.4.e, represents a big change. Previously both the hash and the truncated version of the PAN were no longer considered to be cardholder data, but now if the two come together (two non-cardholder data elements) they must not affect the security of the cardholder data.

In practice, a hacker could attempt to find the missing middle digits by using the first six and the last four digits, and generating hashes until a match is found.

Changes to PCI DSS Requirement 4.2

Another important change, even if it looks like a small detail, is going to be applied to the current requirement 4.2 which currently states:

"Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat, etc.)."

Starting from version 3.1 of the PCI Compliance, we will find an additional channel in this requirement, the SMS one. This means that sending SMS that show the PAN of a card is explicitly no longer accepted unless encrypted. This means that cardholder data is not only prohibited traversing the Internet via email, chat, instant messaging. From now on all messages sent over GSM, CDMA and TDMA networks are also part of the PCI Compliance requirements.

Change protocol, switch from SSL to TLS

It is urgent to switch to the TLS protocol and abandon the SSL one as soon as possible. It has been already discussed in a previous post how SSL is not any more considered to be a trust-able technology to encrypt information "cyber travelling" over the internet. QSAs should make this clear to their clients and/or their company to act upon it.

How are these changes going to impact your business?

Changes to version 3.0 are in response to the changes in the threat landscape and increase in the number of attacks registered during 2014 to avoid data breaches, attacks and threats. The PCI Council initiative needs to be taken seriously. Most of the companies that hold cardholder data and process payments through a debit or credit card are required to review their processes and technologies as soon as possible.

Make sure you have the right guidance

Need help? Stay in touch with us, let us take a look at the status of your compliance, let us help you to increase your ability to monitor and achieve compliance continually.

Marco Borza

Written by Marco Borza

I am the Founder of Advantio.
Technology has been my passion since I was a kid; when I first heard the handshake of an old 300bps modem I realised security would be key in an interconnected world. Since then it has become my passion and primary focus.
The reason why I've started my own business is to make IT Security simple.

Certifications: CISSP / CCSA (Checkpoint) / ITIL Foundations / ACSA (ArcSight)/ Linux+/ PCI-QSA / PA-QSA