The Green Sheet Online Edition
December 10, 2018 • Issue 18:12:01
PCI Council: making payment security accessible, relevant
The PCI Security Standards Council (PCI SSC) wants merchants, consumers and service providers to safely transact online, in apps and at stores. Founded in 2006 by American Express Co., Discover Financial Services, JCB International, Mastercard and Visa, the global forum was charged with managing the multifaceted Payment Card Industry Data Security Standard (PCI DSS), which the card brands established in 2004 to perpetuate security best practices across a diverse payments ecosystem.
The remarkable alliance of five fierce competitors underscores their commitment to building a safer payments industry. Together with the council's Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs), the card brand founders govern industrywide compliance. Each has a representative serving on the PCI SSC's Executive Committee, a strategic group that formulates policy and oversees management committee projects, working groups, special interest groups and taskforces. The card brands also enforce PCI guidelines and impose non-compliance penalties when warranted, council members stated.
Through the years, the PCI SSC has produced and guided scanning qualifications, self-assessment questionnaires (SAQs), training, education, and product certification programs. Despite these efforts, it finds that not all merchants and service providers are up to speed on what the PCI DSS is and how to implement it.
Verizon's 2018 Data Breach Investigation Report disclosed downward trending PCI compliance rates, with small and midsize merchants accounting for 61 percent of data breaches in 2017. The Green Sheet asked PCI SSC leaders, advisers and members how they work with payments industry stakeholders to make the PCI DSS accessible and relevant to everyone.
"Small merchants think of PCI as a form they have to fill out every year," said Ruston Miles, chief strategy officer and co-founder at Bluefin, a technology platform. "And every year there are thousands of security breaches. Many small merchants fall below the radar and don't even know when they're breached."
Troy Leach, PCI SSC chief technology officer, said, "Small business owners are more vulnerable to cyberthreats than Fortune 100 companies, because they don't invest in security and monitoring. We try to engage them and make them aware that using point-to-point encryption (P2PE), tokenization and Qualified Integrators and Resellers (Q.I.R.s) can eliminate a majority of threats."
One such effort was establishing the PCI Small Merchant Taskforce in 2015, which continually updates educational materials, most recently with the August 2018, publication of the PCI Data Security Essentials Evaluation Tool, Leach noted. Designed to simplify security, the set of resources includes Guide to Safe Payments, Common Payment Systems, Questions to Ask Your Vendors, Glossary of Payment and Information Security Terms, Data Security Essentials Evaluation Tool and a PCI Firewall Basics infographic. Leach said the free downloadable guides are available on the Merchant Resource Page of the PCI SSC's website.
Chris Bucolo, vice president, market strategy at ControlScan Inc., said the evaluation tool was the result of ongoing collaborations among taskforce members around the world. "The ultimate goal is to remove the barriers that keep small merchants from successfully completing their self-assessment questionnaires," he said. "At the same time, we are striving to educate these merchants so that they can achieve a strong security posture."
Collaboration was a recurrent theme at the PCI SSC's North America Community Meeting held at the Mirage Hotel Las Vegas in September 2018. More than 1,300 security professionals attended the annual gathering to discuss evolving threats and recent developments in security. Leach said market feedback and global collaboration are critical to staying ahead of cybercrime.
The council's participating organizations, board of advisers, technical advisory board, regional engagement boards, affiliate members, strategic regional members, taskforces, special interest groups and newly formed global executive assessor roundtable are all part of efforts to promote cross-industry collaboration, Leach noted. "Bringing diverse participants together facilitates meaningful discussions, such as how payment processing in Brazil compares with Southeast Asia," Leach said. "We also looked at how to bring more consistency and transparency to our feedback process."
Incoming PCI SSC executive director Lance J. Johnson added, "It is only by working together as an industry that we can achieve success securing payments and combating card breaches." In his Sept. 26, 2018, keynote address, Johnson cited the PCI SSC's diverse global community as its greatest accomplishment, suggesting that learning from each other is key to a sustainable future.
Verizon's 2018 Payment Security Report provides analysis from PCI DSS compliance validation assessments, including the company's Data Breach Investigations Report. Lead author Ciske van Oosten, senior manager of global intelligence at Verizon Enterprise Solutions, said compliance programs must rely on data and predictive analytics, not guesswork. "We live in a world of models, all kinds of them," van Oosten said. "Some models are simple, others very complex. [Their] main task is to predict how the things they describe will behave, depending on the circumstances."
A simple, highly effective model for a PCI-compliant data protection program would outline key success factors for performance and program competencies, van Oosten proposed. However, chief information security officers (CISOs) frequently fail to win approval, support and funding for these programs. Verizon's 2018 report found that 47.5 percent of respondents had not maintained sustainable control environments between 2016 and 2017, placing them at higher risk of a data breach.
"CISOs must articulate the need in a compelling story to the board of directors," van Oosten said. "The strength and outcomes of the [compliance program] investment must be predictable. To be persuasive, they need precise approaches to measuring and improving performance. They must also align the program with the organization's core values and cultures."
Consistent performance is critical to ongoing data protection, van Oosten maintained. The objective is to make compliance activities and outcomes predictable, which can be challenging for a large enterprise with multiple regions and business units. "The success of a compliance management program is more dependent on how it is structured, what its objectives are, and the 4 C's: the capacity, capability, competence, and commitment with which it is executed," van Oosten added. "This will result in predictable outcomes."
Following are Verizon's nine factors of control effectiveness and sustainability:
- Control environment: A healthy control environment supports the 12 key requirements of the PCI DSS, which encompass network security, configuration standards, cardholder data protection, secure data transmission, malicious software protection, secure systems, access control, authentication, physical security, monitoring, security testing and security management.
- Control design: Effective control design incorporates all PCI DSS security control objectives.
- Control risk: Ongoing maintenance (security testing, risk management, etc.) mitigates control failures, preventing controls from degrading over time and eventually breaking down.
- Control robustness: Control robustness relates to a control system's ability to remain viable during disruptions. Robust control environments are more resistant to adverse events and stealthy, sophisticated attacks.
- Control resilience: Control resilience enables organizations to proactively discover and quickly remediate failure points, ensuring compliance and protecting control environments from failing, van Oosten stated.
- Control lifecycle management: Control lifecycle management entails monitoring and actively managing security controls through each stage of their lifecycle, from inception to retirement, to promote healthy, sustainable control environments.
- Performance management: Performance management is an ongoing process of establishing, communicating and accurately measuring performance standards. Effective performance management improves results, promotes predictable outcomes and facilitates early identification and correction of performance deviations.
- Maturity measurement: A control environment must improve continuously and never be stagnant, van Oosten stated. Using a roadmap and established targets for processes and capabilities can help organizations optimize processes, track process development and ensure that their processes can support continuous improvement.
- Self-assessment: Achieving all of the above objectives requires organizations to assess their 4C's: resource capacity (people, processes and technology), capability (supporting processes), competency (skills, knowledge and experience) and commitment (consistent adherence to compliance requirements).
PCI SSC members see a need for continuous innovation to meet emerging threats, technology trends and changing consumer behavior. "Despite heavy work schedules, committee members are committed to sharing knowledge and exploring how we can engage as a community," Leach said. "We recognize the importance of developing next-generation standards and programs."
In the past year the council received more than 1,500 highly articulate suggestions on mPOS security, including software-based approaches for protecting PIN entry on commercial off-the-shelf devices, Leach recalled. Discussions led to the January 2018 release of the Software-Based PIN Entry Standard, which isolates PIN from other data. He said the solution builds on a foundation of hardware-based PIN entry solutions and will be part of the upcoming revised PCI Software Security Framework.
Innovation in security is ideally measured by its degree of effectiveness, van Oosten noted. For example, how does it simplify the control environment, reduce costs and management effort or improve visibility and control of security operations? In large organizations, it can take several years for these changes to filter their way through to the rest of the enterprise. It depends, to a great extent, on getting buy-in and support from corporate executives.
"Innovation is important, but the one thing that should not be thrown out with each iteration is security," Miles said. "We see that oftentimes security technology is not keeping pace with new payment schemes."
Having attended PCI SSC community meetings in Las Vegas and London, Miles found marked differences between North America's diversified payments landscape and European countries, which have one or two dominant banks and providers. Controlling your environment may lower risk but can also restrict access to new innovative vendors, Miles noted. "The United Kingdom and Ireland are breaking that mold by introducing new service providers," he said. "These newcomers are not trying to take over; they're just trying to provide more payment delivery options."
"The Payment Card Industry Data Security Standard (PCI DSS) was established by the leading card brands to help businesses that take card payments reduce fraud," wrote the authors of Verizon's 2018 Payment Security Report. "While it's focused on protecting card data, it's built on solid security principles that apply to all types of data. It covers vital topics such as retention policies, encryption, physical security, authentication and access control."
As the PCI SSC continues to build its global community, members see opportunities for collaboration beyond its traditional footprint. Timothy Thomas, vice president of product strategy at ControlScan Inc., a managed security service provider, has seen other organizations push for the same kind of outreach to address security. "The council is finding similarities with other standard bodies, such as HIPAA and ISO," he said. "For example, there are 20 requirements in the ISO compliance standard that exactly match the PCI framework."
As he reflected on emerging markets in the expanding payments sphere, Thomas said, "We're educating vendors who used to worry about their drivers taking cash and never had to think about [payment] security."
He noted, for example, that automated vending and parking garages are relatively new to payments. Service providers that previously sold traditional vending machines are placing self-attended kiosks in factories and offices. Demand is growing because people aren't carrying cash and operators appreciate being able to remotely manage online payments and inventory and know when to stock a machine. No more counting coins and cash, he added.
"Criminals, like water, always find a way in," Thomas said. "As merchants implement P2PE and tokenization, risks flow to weaker points and find their way in through third parties. That's why people like us are invited to more and more venues."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.