PCI-DSS 3.2 – The Art of Compliance on the HPE Integrity NonStop Server
Since the release of PCI-DSS 3.0 in late 2013, the PCI Security Standards council has been quite busy. A little over a year after 3.0 was published, the council released PCI-DSS 3.1, followed by several new templates and supplements, including the “Migrating from SSL and early TLS Information Supplement” in April 2015 which highlighted the risks of SSL and TLS 1.0. The supplement not only described a migration plan, but also set a migration deadline of 1 July, 2016.
This caused some concern because SSL is so widely utilized in the payments industry and organizations felt the tight deadline could significantly disrupt business. But on the other hand, so can a data breach.
The council took notice and in April 2016, released PCI-DSS 3.2, which extended the migration deadline to 2018. They also took the opportunity to clarify some of the previous requirements and introduce some new ones that help deal with the current security environment.
Let’s take a quick look at the items most relevant to the HPE NonStop server world.
Requirement 3.3 is focused on PAN masking. The council clarified the language around this requirement by giving organizations more flexibility, based on business needs, to display more than the first six or last four digits of the PAN.
There are several PAN masking/tokenization solutions available for the HPE NonStop server. XYGATE Data Protection (XDP) powered by HPE Data Security (formerly Voltage) provides the level of granularity and flexibility required to ensure the correct amount of data is tokenized. Based on business requirements, XDP determines what parts of the PAN or other data to be displayed to help address this requirement.
Multi-Factor Authentication for Administrators
Probably the most significant requirement impacting customer environments is focused on Requirement 8.3 Multi-factor authentication (MFA).
Poor authentication controls are well known to be one of the leading causes of data breaches. Previously, requirement 8.3 only applied to remote access from untrusted networks. For example, an administrator, user or vendor could remotely authenticate to a network using two-factor authentication , then pivot to any system within the network, including the Cardholder Data Environment (CDE), with just a single set of credentials. This poses a risk as it pushes security controls to the perimeter. To quantify that risk, Verizon’s 2016 Data Breach Investigations Report found that 63 percent of confirmed breaches involved weak, default or stolen credentials.
Additionally, Virtual Private Networks (VPN) caused some interesting exceptions. Upon review of the controls, some point to point VPN tunnels could be considered local network access, with the devices on the other end of the tunnel not requiring two-factor authentication for access to the CDE. Another common method organizations use to meet this requirement is to have system administrators use Remote Desktop technology for administrative functionality. An administrator could connect to a secure “jump server” which acts as a bastion host using two-factor authentication, then use their emulator to connect or “jump” from that server to the CDE, including the NonStop s using their single set of credentials to perform their duties.
“Previously, this requirement applied only to remote access from untrusted networks,” PCI Security Standards Council CTO Troy Leach said in a statement. “A password alone should not be enough to verify the administrator’s identity and grant access to sensitive information.”
PCI-DSS 3.2 now expands requirement 8.3 to include all personnel with non-console administrator access to cardholder data and systems to use MFA. Meaning if an administrator is not physically in the data center on the keyboard, MFA for the system housing card data is a must. The requirement also changes its verbiage from “two-factor authentication” to “multi-factor authentication”. This means local network access to servers, workstations and network devices in the CDE must be protected with multi-factor authentication before granting administrator access to cardholder data or the systems housing them. We recommend implementing multi-factor authentication on every device within the CDE. The use of two single-factor authentication identifiers, such as prompting for two different passwords, is not acceptable.
On the HPE NonStop server, Safeguard alone does not support MFA, but has extensibility through XYPRO’s XYGATE User Authentication (XUA) to provide MFA capabilities. It’s worth noting that HPE has included XUA and XYGATE Merged Audit (XMA) software as part of every new HPE Integrity NonStop server delivered since 2013, so most HPE NonStop customers already have much of this capability available to them.
Further, a common approach for multi-factor authentication is the use of a token device, like RSA SecurID or RADIUS with tokens. XUA supports authentication using RSA SecurID, RADIUS, or Windows Active Directory (if configured with MFA) to meet this requirement.
Migration to TLS
Discovering open source vulnerabilities, especially in SSL, has become big business over the last couple of years. POODLE, Heartbleed, BEAST, LOGJAM etc… there are no shortage of SSL and TLS 1.0 vulnerabilities. SSL is no longer relied on as a strong form of encryption. PCI-DSS 3.1 required organizations to migrate to TLS v1.1 or higher by 1 July, 2016. That deadline has been pushed to 1 July, 2018. As the risk is not minimized, we strongly recommend moving off these insecure protocols as quickly as possible.
Requirements for Service Providers
There are also several new requirements for service providers, mandating them to detect and report on failures of critical security control systems as well as introducing bi-annual penetration testing.
PCI DSS 3.2 also includes new requirements 12.11 and 12.11.1 which require service providers to perform quarterly reviews of their personnel to make sure they are following the security procedures in place.
Now is the time to review the exact changes and determine how PCI-DSS 3.2 clarifications and added requirements impact your organization. The full summary of changes can be found on the PCI Security Standards website. https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2_Summary_of_Changes.pdf.
If you’re not already using multi-factor authentication in your HPE NonStop environment, XYPRO can help enable and configure XYGATE User Authentication, to allow you to comply with these new requirements. XYPRO is also available to assist you to review your HPE NonStop server environment, identify security gaps and help you best prepare for PCI DSS compliance.
Please visit our website www.xypro.com for more information.
Chief Information Security Officer
Steve Tcherchian, CISSP, PCI-ISA, PCIP is the Chief Product Officer and Chief Information Security Officer for XYPRO Technology. Steve is a Member of the Forbes Technology Council, on the NonStop Under 40 executive board and part of the ANSI X9 Security Standards Committee. With over 20 years in the cybersecurity field, Steve is responsible for strategy and innovation of XYPRO’s security product line as well as overseeing XYPRO’s risk, compliance and security to ensure the best experience to customers in the Mission-Critical computing marketplace.
Steve is an engaging and dynamic speaker who regularly presents on cybersecurity topics at conferences around the world.