#PCI-DSS – Change Management and ongoing compliance from Feb 2018

News and information from the Advent IM team.

Thanks again to Advent IM Senior Security Consultant, Mark Jones for his expert eye on the changes to the payment card standard.

Assumption:
Readers already have an understanding of the PCI DSS and/or already compliant with the standard and Requirement 6.4 Change Control Processes.

 

The Issue: 

Currently, under the PCI DSS v3.2 standard Requirement 6.4.6 relating to ‘significant changes’ to the CDE, do the relevant PCI requirements continue to be implemented and documentation (including network diagrams) updated? Today it is only considered ‘best practice’ for this to be the case but from 1st February 2018 it will be mandated to maintain compliance.

 

Who is affected:
The need to be compliant with 6.4.6 will apply to those businesses who have (or are in the process of seeking) Attestation of Certification (AoC) with SAQs A-EP, C and D (for Merchants and Service Providers).
It does not apply to holders of SAQs A, B, B-IP, C-VT and P2PE AoCs.
Things for businesses to consider:
So, what type of change would trigger the need to re-evaluate an organization’s security controls? As with all changes to information systems, it is important to have a process to analyze how changes may impact the environment and the security controls that organizations rely on to protect cardholder data. Building this validation into change management processes helps ensure that device inventories and configuration standards are kept up to date, and security controls are applied where needed. It sounds simple but can easily be overlooked to have a new device added to a network by an individual unaware of security-relevant issues or even the responsibility to protect cardholder data. The new requirement also mentions that businesses should ensure any new additions such as hardware and applications be subject to monthly security testing such as monthly vulnerability testing. A good change management process helps provide supporting evidence that PCI DSS requirements are implemented or preserved through the iterative process and simplify future PCI DSS compliance responsibilities.

Recommendations:
Sound and mature change management processes have always been at the heart of information systems management including maintaining good information security. So, if your business hasn’t done so already, we recommend looking at implementing and being compliant with one of the following good practice standards that incorporate change management :
1. ITIL 2011 – Approach to IT Service Management;
2. ISO/IEC 20000-1:2011 IT Service Management; and/or
3. ISO/IEC 27001: 2013 Information Security Management Systems – Requirements.


[1] There are other national standards in use around the world but those listed are the most commonly implemented within the UK.

Share this Post