The Green Sheet Online Edition
November 08, 2010 • Issue 10:11:01
What PCI DSS 2.0 means for financial institutions
I participated in the PCI Security Standards Council's (PCI SSC's) 2010 Community Meetings in North America and Europe, where the 2.0 updates to the Payment Card Industry (PCI) Data Security Standard (DSS) and the Payment Application (PA) DSS were presented. This article provides my perspective on how the updates will benefit financial institutions.
Version 2.0 updates to the PCI DSS and the PA DSS bring no major changes in requirements, a sure sign these security standards are maturing. The 2.0 updates devote significant new text to clarifying the standards, which should help resolve many compliance questions, though there's still room for improvement, as the PCI SSC itself admits.
Progress being made
Still, these clarifications are a step in the right direction and will ultimately help financial institutions reduce their risk and achieve greater data security for cardholder information throughout the credit card supply chain.
As a growing number of high-profile, headline-grabbing incidents demonstrate, sensitive customer data in loan applications, credit histories, payroll files and customer databases are prime targets for hackers. Cyber crimes and other types of data breaches - stolen laptops, lost flash drives and accidental leakage of confidential records - subject financial services organizations to a growing list of civil and criminal penalties.
More nuances clarified
Further down the supply chain, even retailers like Hannaford Brothers Co. that were deemed PCI DSS-compliant have experienced credit card breaches, putting financial institutions at risk of having to cover unauthorized purchases and the expense of issuing new credit cards.
The fact that companies that were deemed PCI DSS-compliant have been breached proves that being compliant doesn't equate to being secure. Clarification of the PCI standards is meant to help companies better understand the nuances of the requirements and provide better guidance on successful data security strategies.
In addition to better clarification, PCI 2.0 continues to address evolving risks and threats and improve alignment with industry best practices. It also gives merchants more flexibility for achieving compliance by allowing the use of emerging technologies to meet data security regulations.
The cost of achieving and maintaining PCI compliance can be high, and the merchant community will welcome anything that brings down the cost. This, in turn, helps to lower the risk upstream to the financial institutions. New technologies like data tokenization, point-to-point encryption (P2PE), Europay MasterCard and Visa (EMV) and virtualization all play a part in reducing compliance costs.
For example, data tokenization and P2PE reduce the cost of compliance by taking entire systems, applications and databases out of scope for compliance and ongoing annual audits. These technologies limit areas where cardholder data exists thereby lowering the risk of a data breach and simplifying and speeding up the auditing process.
Commitment to data security
The PCI SSC is so dedicated to paving the way to the adoption of new data security technologies that it has committed to publishing a series of supplemental guidance papers. The first two of these papers, PCI DSS Applicability in an EMV Environment and Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance, were published Oct. 5, 2010, and cover P2PE and EMV technologies in a payment card data environment.
They were written to help the merchant community understand how P2PE and EMV help define or reshape the cardholder data environment, evaluate the impact of these technologies on PCI DSS compliance efforts and identify future potential for the technologies.
Since there is not a "standard" way to implement these technologies, these and future guidance papers will be very useful to merchants who want to incorporate them into their data security programs to reduce fraud in card present transactions (with EMV) and reduce scope (with P2PE) in compliance with the PCI DSS.
In a nutshell, the easier it is for merchants to understand how to leverage new technology to improve data security and the less costly it is to maintain compliance, the more secure the supply chain becomes.
The less risk there is of a credit card breach at the merchant level, the less risk that financial institutions will be put in the position of bearing the brunt of the fallout of stolen cardholder data. Clearly, this clarification and flexibility will be welcomed by the merchant community and will ultimately benefit the financial services community.
The future of the PCI SSC
During the September PCI SSC North American Community Meeting, there was evidence of a great deal more collaboration among the PCI SSC and the participating organizations, Qualified Security Assessors (QSAs) and the American Society for Quality (ASQ).
One personal example is the work I have been doing leading the Tokenization Working Group as part of the PCI SSC Scoping Special Interest Group (SIG). Prior to June of this year, the PCI SSC's Technical Working Group worked independently from us, resulting in duplicative efforts as we both elaborated on the use of emerging technologies for compliance.
Since then, we've been working together, which will result in the expedited development and dissemination of information about emerging technologies.
In addition, better communication between the council and the participating organizations rang out loud and clear, and I have no doubt the noise was heard by all. Companies and solution providers alike want more clarity about the Self-Assessment Questionnaires (SAQs). They want to learn more and learn it faster by participating in the SIGs. They also want to know how to do more around risk-based approaches to address vulnerabilities. And they're looking for more training opportunities.
There were concerns about getting the PCI SSC to make more definitive decisions about emerging technology conflicts and how to deal with franchisees, since the latter don't often recognize the importance of security.
Both are valid issues and in time they, too, will be addressed. With the support of the participating organizations, QSAs and the ASQ, we can help them move faster by providing input and guidance.
Gary Palgon, a Certified Information Systems Security Professional, is Vice President of Product Management for data protection software vendor nuBridges Inc. He leads the Payment Card Industry's Tokenization Working Group, one of four working groups in the PCI Security Standards Council's Scoping Special Interest Group. Palgon is a frequent contributor to industry publications and a speaker at conferences on electronic business security issues and solutions. He can be reached at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.