Forthcoming PCI changes will bring challenges for payment card network community

Organizations that make use of SSH keys for secure access to servers should be aware that they may need to make some changes soon when it comes to managing any of their networks related to payment-card processing, according to the CEO of SSH Communications security, Tatu Ylonen.

That's because the next version of the Payment Card Industry (PC) standard to be published in early November, PCI v.3, is expected to include some new guidance on authentication and remote access to any network segment that processes or stores payment cards that could impact use of Secure Shell (SSH) cryptographic technology,  Ylonen says.

"Key access clearly can be used in a PCI environment," Ylonen notes. "But key access across from a boundary forces problems." Any organization storing or processing payment cards must follow the PCI standard's requirements for network security.SSH keys are often used for automated machine to machine security and SSH keys grant access with a password, Ylonen notes.  Boundaries for PCI networks define segments in which card storage or processing takes place -- often called PCI network "scope" -- and it must conform to PCI requirements as defined in the PCI Data Security Standard (DSS) published by the PCI Security Standards Council.

Ylonen says he is encouraging systems administrators -- the individuals often responsible for setting up SSH key management for enterprise networks -- to start discussions about the upcoming PCI DSS v.3 standard with those in their organization most involved in making sure there will be PCI compliance. These individuals might be chief security officers, CIOs or internal auditors, for example. From what he's seen of the draft of the PCI v. 3 standard, Ylonen says, "the rules themselves are good but guidance is vague."

SSH key mismanagement and how to solve it

TEST:Tectia 4.0 from SSH

Ylonen says any enterprise using SSH must be sure exactly how SSH has been deployed. In large organizations, use of SSH keys has sometimes not been managed sufficiently and has become sprawling, he acknowledges. Some large financial institutions, for example, have over 1.5 million authorized SSH keys but sometimes "80% to 90% are just forgotten," he points out.

Ylonen has embarked in recent weeks on a vigorous campaign to convince the PCI Data Security Standards Council to tweak the upcoming PCI v. 3 standard to clarify the machine-to-machine use of SSH and the PCI boundary "scope" question related to SSH.

Ylonen has come out strong on this in the last few weeks in a last-minute push, says Troy Leach, CTO at the council.

Bob Russo, the council's general manager, notes that Ylonen publicly discussed his concerns at the recent conference on PCI the council organized, and has also met privately with council members. The draft of the PCI v. 3 standard is still subject to change before its expected issuance on Nov. 7,  Russo pointed out. Russo says the council is still "tweaking" the draft PCI v. 3 standard before it is issued. More input is expected over the next weeks from businesses and vendors in Europe and Asia as well.

Leach says as far as SSH is concerned, the PCI v.3 standard for card-processing environments is intended to "fix bad implementations of SSH." The council wants to make sure SSH is used appropriately in a secure way. The issue of a password "was a big focal point" in discussions with Ylonen, who appears to want some changes in PCI v. 3 related to SSH and passwords that would give SSH Communications Security more leverage, Leach says, adding, "What he wants is for us to include more prescriptive language" about SSH that is technical in nature that would be relevant to the banking industry.

Russo and Leach point out that there is much more to the upcoming PCI v.3 standard than just guidance that might impact SSH.

A new requirement expected out in PCI. v. 3 relates to network segmentation for cardholder data environments and requires validation of that segment by a form of penetration testing, says Leach. There will also be more emphasis on secure development life cycle, as well as some "common sense requirements" how point-of-sale terminals are set up in shared areas. The overall PCI "guidance" that was previously more separate from the simple list of requirements will be woven into the standard as column explaining the intent of requirements.

Russo says once the final PCI v. 3 rule is published in November, it becomes effective on Jan. 1, 2014 but companies are allowed to continue using the PCI v. 2 standard for payment-card security until Dec. 31, 2014 at the latest.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags ShellsecurityfinanceWide Area Networkindustry verticals

More about IDGSSHSSH CommunicationsSSH Communications SecurityTectia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place