GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

Going to that process in the sky

News

Industry Update

Two new ventures add to spate of NFC activity

Processor argues against video game regulation

ReD predicts major jump in U.S. fraud

Features

Research Rundown

Selling Prepaid

Prepaid in brief

A snapshot of prepaid in the U.K. and Ireland

David Parker
Polymath Consulting Ltd.

Views

Proximity payments, a BIG issue

Brandes Elitch
CrossCheck Inc.

Are you really a salesperson?

Jeffrey Shavitz
Charge Card Systems Inc.

Electronic wallets coming to a phone near you

Scott Henry
VeriFone Inc.

Education

Street SmartsSM:
Are mobile payments a threat to ISOs? - Part 2

Ken Musante
Eureka Payments LLC

Prepare for shifting payment seasons

Jeff Fortney
Clearent LLC

International designs at the DRF

Caroline Hometh
Payvision

The coming changes to PCI

Tim Cranny
Panoptic Security Inc.

Brand messaging and corporate identity

Peggy Bekavac Olson
Strategic Marketing

Partnering in an ISO business

Adam Atlas
Attorney at Law

Company Profile

TF Payments Inc.

New Products

Bundled terminal and data plan

Wireless Value Bundle
ExaDigm Inc.

Inspiration

Connect by disconnecting

Departments

Forum

Resource Guide

Datebook

A Bigger Thing

The Green Sheet Online Edition

October 11, 2010  •  Issue 10:10:01

previous next

The coming changes to PCI

By Tim Cranny

The PCI Security Standards Council is preparing to release updated versions of the Payment Card Industry (PCI) Data Security Standard (DSS) and the Payment Application DSS. Since these standards are the foundation for everything else in PCI, all players in the industry need to know what is happening and what the short-term and long-term implications are.

This is particularly true for those in the chain of liability, such as acquirers, ISOs and merchant level salespeople.

One bit of good news is that the changes do not represent any sort of upheaval that will generate a lot of emergency-response work. However, there are things that should concern payment professionals, in terms of both what is and what is not being changed. This article will look at the proposed changes, what they say about PCI and what should be done.

Most of the proposed changes are described as clarifications or additional guidance and shouldn't cause anyone angst. For example, the first is "Clarify that PCI DSS Requirements 3.3 and 3.4 apply only to PAN [primary account number]. Align language with PTS [PIN Transaction Security] Secure Reading and Exchange of Data (SRED) module."

These sorts of clarifications reduce confusion and ambiguity. Of the 12 proposed changes, nine are essentially similar.

Key changes to PCI

The other three proposed changes are not so simple. Some are classified as evolving requirements and appear to be the first small steps toward genuine change at the heart of PCI.

The three proposed changes (in my own preferred order) accomplish the following:

None of these initially seem substantial, but they raise key points about what PCI is and isn't, and they hint at how PCI will evolve over time.

Let's start with the first of the three points: virtualization. More than almost any other comparable security standard, PCI is specific and prescriptive about details. Rather than taking an approach of "you have to identify problems and fix them," it lists hundreds of specific issues that have to be dealt with.

This approach has some real value (particularly when the intended user base doesn't know much about security and is hungry for detailed guidance), but it does lock everyone, including the standard creators, into an ugly race to keep up on how those details change.

If the details are the totality of PCI, the council has to ask itself: What details do we have to include now that virtualization is becoming common? What about tokenization? End-to-end encryption? Cloud computing? Mobile computing?

Keeping pace with new technology

Technology, industry changes and the arms-race nature of security guarantee there will always be something else coming down the pike.

The council can't do a new version of the standards every six months, nor can it just ignore the new details and only talk about the old details (otherwise you would end up with a slogan along the lines of "PCI: protecting you from last year's threats, today").

This tension, between slow-enough-to-be-manageable and fast-enough-to-be-useful, is a real problem, and there aren't many real answers:

In "Rough seas for PCI," The Green Sheet, March 9, 2009, issue 09:03:01, I wrote, "The standard should keep all its specific requirements, but increase the emphasis on general risk management, particularly for service providers and larger merchants (it is mentioned in PCI, but in a low-key, incomplete way).

"The two approaches are complementary: the explicit requirements can lock in specific desirable achievements and give smaller merchants invaluable guidance, while a general risk management requirement could stop larger organizations from hiding behind a 'we did everything you asked' justification."

What is interesting is that the second and third of the evolving requirements show some real signs of PCI moving in precisely that direction.

A risk management approach

A risk management approach requires users to follow a process similar to the following:

  1. Identify all assets that need to be protected. (This includes more than money and physical assets; it includes sensitive data, company reputation, legal standing and other assets.)

  2. Identify which threats apply to those assets. (Threats can include everything from hackers to embezzlement to accidental loss to earthquakes.)

  3. Decide what constitutes an acceptable level of risk for these threat-asset combinations. (Assigning a value of zero is unrealistic; you need to think in terms of managing risk down to a reasonable level, not extinguishing it completely.) By estimating the likelihood and the consequences of a particular threat, you can calculate a risk rating of that particular threat scenario.

  4. Address threats that have a risk rating above the level you have determined to be acceptable. This means applying additional security measures to reduce the likelihood or consequences, or both, of the underlying threat, until the risk is acceptable.

This sort of approach, if done correctly, is largely immune to the details trap, but it puts a greater burden on those doing the risk assessment to identify and manage the details. The greatest danger (after laziness and the belief that "it won't happen to us") is failure to anticipate a given risk scenario until it's too late.

For that reason, many standards don't abandon the details; they use an approach like, "Do your own risk management, but at the very least, remember to consider the following details."

This captures the better of the two approaches and is, I believe, the most likely path that PCI will take on the way to maturity.

The upshot of this path for PCI is that it is going to become more complicated and less open to the "check the box" approach that some people use today. ISOs and others who want to handle PCI properly should start thinking now about the dangers of a short-term, quick-and-dirty approach, and consider either developing a sophisticated approach in-house or partnering with a specialist security company that can guide them to that next level of maturity when the time is right.

Taking this smarter approach to PCI is already a good idea (in terms of security and proper portfolio management) and is starting to become a necessity.

Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at cranny@panopticsecurity.com or 801-599 3454.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

USAePay | Impact Paysystems | Electronic Merchant Systems | Inovio