PCI 3.2 Significant Changes for the Service Provider

Last week I was speaking with one of our Service Provider clients and the topic of security and Out-of-Band Management (OOB) came up in conversation.  Recently there’s been a lot of chatter about what’s required for OOB, specifically as technology pivots from analog connections to different technology methodologies like cellular wireless and VoIP.

In reading the changes to PCI (3.2), what’s obvious are the numerous mentions of updates for the Service Provider.  PCI 3.2 changes are authored as best practices until 1/31/18 after which time they become a requirement.  These edits to rules align with the growing industry move for cloud-based or shared computing-on-demand environments.  CDI has also seen this sort of paradigm shift in the Federal government space where clients are starting to request more flexible service delivery options.   The PCI Security Standards Council is following suit, to meet an ever changing physical landscape where network assets are segmented and shared among multiple tenants.

Here’s where things get very relevant for the Service Provider.  PCI rules now explicitly call for action and ownership (see section 12.4.1).  Additional requirement for service providers only: Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program to include:

  • Overall accountability for maintaining
  • PCI DSS compliance Defining a charter for a PCI DSS
  • Compliance program and communication to executive management

Moreover, the Guidance section suggests:

Executive management assignment of PCI DSS compliance responsibilities ensures executive level visibility into the PCI DSS compliance program and allows for the opportunity to ask appropriate questions to determine the effectiveness of the program and influence strategic priorities. Overall responsibility for the PCI DSS compliance program may be assigned to individual roles and/or to business units within the organization. Executive management may include C-level positions, board of directors, or equivalent…

It’s understandable that PCI rules, like any regulations are tough to keep up with, this is one reason why there’s a whole subcontracting industry that’s evolved alongside PCI rules.  Although the rule changes may be fluid, there’s a very clear message to heed, your Executive Management now, very explicitly share the risk of following security practices.

Although CDI occupies but a fraction of the PCI regulations space, Out-of-Band Management is used by all service providers and needs to be secured as it is remote access.  CDI supplies comprehensive, US-built tools to furnish logging, embedded two-factor security and a management system to pull it all together.