The Green Sheet Online Edition
November 25, 2013 • Issue 13:11:02
PCI DSS version 3.0 revealed
Three years ago, the PCI Security Standards Council (PCI SSC) published version 2.0 of the global standard for how payment appliances and networks should be secured. Now version 3.0 of the Payment Card Industry Data Security Standard (PCI DSS) has arrived. Its emphasis is on integrating data security into everyday business practices, as well as providing more flexibility for businesses to comply with the standard while reinforcing their responsibilities – even when security is outsourced to third parties.
PCI DSS 3.0 is the result of input from the council's global constituency of payment technology and service providers and numerous working groups that promulgate best practices for aspects of data security. Drafts of version 3.0 were circulated to PCI participating organizations in August 2013 and were discussed at recent community meetings held in Las Vegas and Nice, France, before the updated standard was released on Nov. 7, 2013.
The update takes effect in January 2014; businesses have one year from that time to implement it. After that first year of PCI DSS 3.0's three-year lifecycle, the council will begin evaluating the effectiveness of the new standard and potential changes to it, based on community feedback and market conditions.
Among the changes made to the 12 overarching requirements of the PCI DSS is a new evaluation process for malware threats and new guidelines involving passwords. Along with the PCI DSS, its companion standard for payment-related software, the Payment Application (PA-) DSS, was also updated. Changes to the PA-DSS include integrity verification of source code during the development process of, for example, mobile payment apps.
Bake it into the business
Bob Russo, General Manager of the PCI SSC, said the main focus of the new overall standard is to compel businesses to make security a business-as-usual practice. "We hear a lot of that compliance talk: 'I'll check the box and I'm done until next year.' And that's where we're seeing a lot of breaches happen. So one of the goals is to try and make this business-as-usual, 24/7, 365 days a year. And make sure people are living and breathing [security]."
The new standard does this by making compliance more user friendly and giving businesses greater flexibility in how to implement it, according to Russo. PCI DSS 3.0 also puts an emphasis on enterprise-wide security education. For example, when businesses merge, the new business environment must be evaluated to ensure that equipment and processes are still PCI compliant, Russo said.
Additionally, the new standard seeks to raise awareness of shared responsibilities among businesses and their vendors. Russo said many merchants are under the false impression that outsourcing data security to third-parties frees them from security responsibilities. "That, of course, is not the case," he said.
Educating the new blood
The security landscape seems to be becoming more perilous – not just from the schemes of enterprising hackers, but also from security-ignorant app developers as well. PCI SSC Chief Technology Officer Troy Leach pointed to the audit of a web-based payment application breach. "A development team was brought in after their payment application had been compromised," he said. "And they were asked, 'Well, why didn't you follow PCI PA-DSS?' And everyone around the table said, 'What is that?'"
In another case, Leach was talking to a businessman on the phone when he asked a technical question. Leach noted that in response, the man said, "Well, hold on just a minute. Let me put my developer on the phone." Then he handed the phone to his 15-year-old son, who had developed the application.
These instances highlight a challenge faced by the PCI SSC and the security community. "We have a new generation of developers that have to be introduced to why it's so important to maintain the integrity and trust that we've had for decades in the payments industry," Leach said.
Mobile payments blind spot?
In discussing PCI DSS 3.0, Greg Rosenberg, Sales Engineer at Trustwave and a Qualified Security Assessor, said the council missed an opportunity to address mobile payment security in more depth. A common question he hears from acquirers, ISOs and other merchant service providers is how to get merchants using mobile payment solutions PCI compliant. "And the answer today is it's really difficult under the current version of the PCI DSS," Rosenberg said.
Leach said the PCI DSS is meant to be technology and payment channel agnostic, thereby allowing the standard to function with any payment channel or scheme. But Rosenberg said that mobile payment solutions employ "fundamentally different architecture than other point of sale systems that have been used in the past." Mobile architecture includes global positioning systems, cameras and different operating systems than those of standard POS devices, Rosenberg said. "As a result, the threat presented to these [devices] is unique," he noted.
Rosenberg believes that mobile security requirements can be included in the standard as a carve-out that the council employs for specific technology concerns. "A good example is wireless," he said. "Not every merchant uses wireless. And so we have standards that talk about the type of encryption that should be used, how often you rotate the SSID [service set identification]… Same thing holds true for point to point encryption."
Rosenberg acknowledged that the council does not have an easy task. "Don't get me wrong," he said. "They have a really hard job when you have a proscriptive standard with over 280 controls, trying to apply to every single merchant, no matter how they process payments, and then also baking in the emerging technology and threats."
However, Rosenberg said threats to mobile payments are looming. He cited Trustwave research that tracked a 400 percent increase in 2012 in the amount of mobile malware infections. While payment volume conducted via smartphones and tablet devices is low in relation to total payment volume, fraudsters are testing the mobile infrastructure for weaknesses.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.