You may never have heard the term ‘zero-trust architecture’; it is relatively new within the security landscape and, even if you have heard of it, you may be wondering what it has to do with v4.0 of the Payment Card Industry Data Security Standard (PCI DSS). Well, within PCI DSS v4.0, the PCI Security Standards Council (PCI SSC) made a number of changes to the access control requirement, i.e., Requirement 8: Identify and Authenticate Access to System Components. Many of these changes related to multi-factor authentication (MFA) and system/application accounts, which have already been discussed at length by much of the already published content on v4.0 of the PCI DSS (to learn more about the broader changes to MFA in PCI DSS v4.0, read our blog on PCI DSS v4.0 and Multi-Factor Authentication). However, one of the smaller changes within the access control requirement could have significant consequences for organisations (depending on their environment), and this relates to zero-trust architecture.
Following on from our blog on PCI DSS v4.0: Network Security Controls, where we drilled down into the specifics of a smaller, but still impactful change in PCI DSS v4.0, this blog will explore an updated PCI DSS requirement which concerns forced password changes.
How have the requirements around forced password changes been updated in PCI DSS v4.0?
Under the old version 3.2.1, the PCI DSS mandated that all passwords must be changed at least every 90 days irrespective of the account, the access level, and other authentication systems – it simply stated that all passwords much be changed.
This has caused a great many discussions between PCI qualified security assessors (QSAs) and organisations over the years, as there are many security professionals who believe that the practice of forcing password changes is less secure due to the policy’s complexity and the inconvenience it imposes on users. Also, many governmental advisory bodies have started to move away from this type of policy in recent times, leading to conflicts within organisations that need to meet several different security standards. As such, a change to this requirement in the PCI DSS was necessary to bring it into line with current security standards and practices.
However, it’s not simply a matter of disabling the mandatory password changes, as the new Requirement 8.3.9 features two major changes: firstly, it now only applies to accounts using single-factor authentication, meaning that MFA accounts do not have to change their passwords at all, providing yet another reason to adopt MFA across the board.
Secondly, the Requirement now has two options for the remaining single-factor authentication accounts: mandatory password changes every 90 days, or ‘the security posture of accounts is dynamically analysed, and real-time access to resources is automatically determined accordingly.’ This second option is also known as zero-trust architecture, and the principle is detailed in one of the National Institute of Standards and Technology (NIST) Special Publications (SP 800-207), as are many of the security principles that the PCI DSS draws upon.
What is zero-trust architecture in PCI DSS v4.0?
Whilst the intricacies of zero-trust can get very technical, the underlying principle is relatively simple. Essentially, you start from a baseline of no person or system is allowed access to anything i.e. ‘trust no-one’, then each individual access request is dynamically analysed in real-time to determine whether access should be granted for that request.
This analysis will take in a wide range of data points to make its determination, including considerations such as: the device being accessed, the location of the access request, the user or systems requesting access, the time of the access request, the resources being accessed, the route taken from the request to the device, and the frequency of similar requests. This allows each access request to be analysed based on its own merits and granted accordingly and, if a request is unusual, it could be an indicator that the account has been compromised and access will be denied by default.
Should you use zero-trust architecture to meet PCI DSS v4.0 requirements?
Zero-trust architecture may initially seem like an ideal option to adopt as it could be managed by a large autonomous system, however it is important to note that such an architecture requires the deployment of an application or service that is capable of providing an effective zero-trust access architecture, and these services are not particularly cheap or easy to configure. These services also require a level of ongoing resourcing to ensure they continue to operate effectively, which could impact your IT department’s day-to-day costs and available time. Meanwhile, you would need to account for these access systems within your disaster recovery and business continuity plans.
All of which is not to say that these types of zero-trust systems are not effective at securing access in a way that traditional access control cannot achieve, but to make you aware that there are a great number of considerations that should guide your decision to use such systems. Zero-trust systems are not for everyone, and some organisations will unfortunately still have to mandate periodic password changes because after all: sometimes the simplest solution is the best one.
How URM can help?
Understanding how best your organisation can meet the new and updated PCI DSS requirements and maintain PCI DSS compliance can be difficult without assistance. However, URM’s extensive experience as a PCI Qualified Security Assessor Company (PCI QSAC) means we are ideally placed to help you navigate the new version of the Standard and support your transition to v4.0. Our large team of PCI DSS consultants can offer a range of services on both sides of the certification process; we can provide a scoping service to help you define the most streamlined and appropriate certification scope, and can conduct a gap analysis of your current environment against the PCI DSS requirements to allow you to identify any areas of noncompliance. If noncompliances are identified, URM’s PCI DSS consultant will be able to assist with any necessary implementation and remediation activities to ensure you can achieve and/or maintain compliance.
Meanwhile, when you are fully prepared, URM can support and facilitate your assessment by conducting a PCI DSS audit, which, if successful, will then result in certification to the Standard. Depending on your organisation’s merchant/service provider level and the level of support you prefer, URM can offer a QSA supported self-assessment questionnaire (SAQ), where our assessor will lead your completion of and countersign the SAQ, support your completion of the SAQ in an advisory capacity, or, if your organisation is a Level 1 merchant or service provider, deliver a QSA-led PCI Report on Compliance (RoC). URM’s QSAs can also work with your organisation to conduct a pre-audit readiness assessment, prior to the formal assessment, which will allow you to identify any issues that could prevent you from achieving PCI compliance.
If your organisation has received a request for a SOC 2 report and is looking to meet all the necessary requirements, URM can offer you informed guidance and practical support.
URM can help you achieve ISO 27001 certification
URM can provide a range of ISO 27002:2022 transition services including conducting a gap analysis, supporting you with risk assessment and treatment activities as well as delivering a 2-day transition training course.
URM’s blog dissects the new PCI DSS requirements around targeted risk analysis, what they involve, and how the 2 types of TRA in the Standard differ.
For an organisation to achieve and maintain compliance to the Payment Card Industry Data Security Standard (PCI DSS)....
Almost all organisations that implement the Payment Card Industry Data Security Standard (PCI DSS) struggle with the scope of the applicability....