The Green Sheet Online Edition
March 26, 2018 • Issue 18:03:02
PCI SSC raises bar on data security
When the PCI Security Standards Council was formed in 2006, the new payment standards body assumed responsibility for advancing the Payment Card Industry (PCI) Data Security Standard (DSS) and PIN Transaction Security Standard, which had been promulgated and managed by founding members American Express Co., Discover Financial Services, JCB International Credit Card Co. Ltd., Mastercard and Visa Inc.
At that time, version 1.0 of the PCI DSS had been in place since 2004. It came about just as online commerce was gaining traction and attracting more sophisticated forms of fraud. Today, the PCI SSC oversees 12 standards, in addition to assessor programs, certified solutions and online resources driven by global Participating Organization and Affiliate members and founders at the committee and board levels, as well as various working groups, task forces and special interest groups.
"We've really gone through a renaissance in payments over the last 10 years," said PCI SSC Chief Technology Officer Troy Leach. "We're looking at not only what has been introduced for payment innovation, but also security innovation. There are new ways that you can include more proactive ongoing security within code, more use of things like machine learning and artificial intelligence, and similar types of dynamic security as well."
To usher in next-generation payment security, Lance J. Johnson was appointed Executive Director of the PCI SSC effective January 2018. A payment security veteran, he brings to the role over 20 years' senior leadership experience. He guided global risk management, data security, fraud detection and control efforts at Visa; most recently, he was Chief Operating Officer at Sequent Software Inc.
The PCI SSC has several projects underway designed to make payment data security compliance more accessible to merchants and service providers, as well as offer greater flexibility to software developers and system installers. This article delves into top items on the council's 2018 payment security agenda and strategies advancing data protection.
PCI DSS, TLS update
On Feb. 1, 2018, PCI DSS version 3.2 went into effect. Initially released in April 2016, the update addresses several known exploits to data security and compliance, and introduces new sub-requirements for service providers, including semi-annual segmentation checks and ongoing documentation of cryptographic architecture.
In the latest version, multifactor authentication became a requirement for all non-console administrative access to cardholder data environments (CDEs), whereas in version 3.1 the requirement applied to remote access only. It also enforces stricter controls for documenting, tracking and managing changes to CDEs.
One company working to eliminate system vulnerabilities is Conformance Technologies LLC. The firm offers full-system penetration tests through its Cyber Attack Readiness ToolKit. "Our numbers are, with our penetration test, that in 100 percent of the tests we've done, we've been able to break into the merchant system," said Darrel Anderson, President of Conformance Technologies. "We find vulnerabilities that would allow a hacker to get in, 94 percent of the time we find credit card numbers."
To prevent system vulnerabilities down the road, Conformance Technologies automates compliance processes with its PCI ToolKit, which features online calendaring system reminders for system checks and a policy generator merchants can use for training. Its InConRadar (Internet Content Radar) monitors merchant websites in real time for suspected illegal activities, catching some merchants unaware.
Another PCI compliance requirement mandates that as of July 1, 2018, organizations must migrate from Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) data encryption and authentication protocols to the more secure TLS version 1.2. Certain POI (Point of Interaction) terminals have been exempted from this requirement.
Many consider this security requirement long overdue, since SSL is based on a 22-year-old technology and its replacement, TLS 1.2, has been available for 10 years. TLS 1.3 is currently being tested in the market. The PCI SSC started encouraging organizations to switch protocols in 2015, shortly after the National Institute of Standards and Technology issued a warning that the SSL protocol was no longer reliable.
"The most notable vulnerability was called POODLE (Padding Oracle On Downgraded Legacy Encryption)," Leach said. "Not only was it able to break down the protocol, you could not detect it, if successfully launched. You could think that you had a secure encrypted channel, and in the middle, what we call a man-in-the-middle attack, they could decrypt that information, steal it, re-encrypt it, and neither the sender nor the receiver would know that there was a compromise."
The protocol change for organizations with larger infrastructures and older technology has proven challenging for some, but for smaller merchants with modern web-browsers the transition has produced less friction, Leach noted. To assist with the protocol migration, the PCI SSC offers several resources on its website, including a webinar and the seven-page Information Supplement: Migrating from SSL and Early TLS.
In February 2018, the PCI SSC and Accredited Standards Committee X9 Inc. (ASC X9), an ANSI-accredited organization that manages approximately 100 domestic and 58 international standards for the financial services industry, joined forces to create a unified PIN Security Standard. The organizations currently maintain separate PIN security standards: the PCI PIN Security Standard and X9 TR39 PIN Standard.
Consolidation of the two standards will simplify efforts for organizations subject to both standards. "Both standards are used for auditing the networks, and the auditors have to be trained and certified to be able to audit to one or both of the standards," said Steve Stevens, Executive Director for the ASC X9.
He noted that roughly 80 percent of the standards' contents are comparable; which means much of the work by the PCI PIN Assessment Working Group will involve unifying the remaining 20 percent, with the second quarter of 2018 the target for a final unified standard.
Hints of further collaboration are in the offing. "The agreement between X9 and PCI SSC has the ability to extend beyond just this one agreement to other things in the future," Stevens said. "The foundation is already there, so it would make things rather quick to do."
Leach agreed, adding that there is a lot of synergy between the two organizations. "ASC X9 requirements are typically much more detailed, for example, on cryptography and certain elements of key management," he said. "We reference such organizations as ISO, ANSI, X9, EMVCo, NIST and others that provide much more specificity as guidance for how to apply that from a practical business perspective."
Another cross-industry effort resulted in the late 2017 release of two new security standards supporting secure implementation of the EMVCo 3-D Secure protocol for dynamic authentication of card-not-present transactions, an assessor program, and subsequent release of an SDK program currently in development.
More inclusive QIR program
Launched in 2012, the PCI SCC Qualified Integrators and Resellers (QIR) program geared for payment system installers has just been revised. Since implementing the January 2017 mandate requiring most POS systems to be installed by a certified QIR technician, the PCI SSC has closely monitored program adoption.
To boost participation in the QIR program, the council invited industry feedback and did a thorough analysis of data breach forensic reports. What resulted is a leaner, more focused certification program that focuses on the three primary points of vulnerability most commonly linked to payment data breaches: password, remote access and software.
On March 14, 2018, the PCI SSC released details regarding changes to the QIR program. The revised program will offer a more streamlined curriculum, require fewer hours to complete, cost less than the existing program, and require annual requalification versus the three-year cycle previously in effect. Existing QIRs, which are listed on the PCI SSC website, will be phased into the new program as certification qualification terms expire.
"The other piece of feedback we received was that a significant percentage of QIRs are sole proprietor one-person companies, and therefore the model we had in which we qualify the company and then we qualify the employees was cumbersome for them," said PCI SSC Chief Operating Officer Mauro Lance. "So we eliminated the company requirements. Now the individual is going to qualify and be recognized as a QIR."
Anderson encourages individuals to become QIR certified. "We've seen cases where the installer leaves operator ports open after leaving the merchant, which allows any hacker out there to get into those systems," he mentioned as just one example of the pitfalls of not being certified.
Software standards refresh
Also underway is a plan for migrating Payment Application (PA)-DSS to a new software security framework validation program and listing; however, in the interim, the PA-DSS and program will continue to function as it does now, the council noted.
The PCI SSC Software Security Taskforce, which includes members from Microsoft Corp. and SAFECode (Software Assurance Forum for Excellence in Code), is working to develop a Software Security Standard Framework to be composed of Secure Software Lifecycle Requirements and Software Security Requirements. The latter will eventually be a modular type standard with modules for different types of software.
"Payment software is being pushed to market in much shorter cycles, sprints really," Leach said. "When we created the original PA-DSS program, it was much simpler at that time. You had a lot more proprietary platforms that payments were being processed on, and dedicated, limited terminals." Today open cloud-based platforms and smart devices run software applications across multiple environments, he added.
"With the software lifecycle standard, we want to make sure there is a good security process in place through the design, development, production and maintenance of that software after it's been released and still being used in the marketplace," Leach continued. "We're really excited about how flexible, how transparent and how dynamic we can make security with this new standard."
The council’s request for comment on the proposed standard is expected to draw important PCI SSC member feedback by the comment period's mid-April deadline, as will input received during PCI SSC community meetings scheduled this fall in Las Vegas and London. Shortly thereafter, the PCI SSC plans to draft final content for the new standard.
"The most important part of this program will be to provide new ways to test and validate the security of the software, both the PA-DSS applications that are validated today, as well as new types of applications," Leach said, noting that the transition from PA-DSS is a critical element in the path forward. "The very first priority and first listings for this new standard will be associated with grandfathering in existing PA-DSS applications, as some being validated now will have a shelf life of up to 2022," he added.
Small Merchant Taskforce update
In May 2015, the PCI SSC formed the Small Merchant Taskforce to collaborate on guidance and resources to simplify data security and PCI compliance for small merchants. "What we've done in the task force over the last few years is looked at creating simpler ways of understanding security concepts," Chris Bucolo, Director of Market Strategy at Controlscan Inc., said in a webinar with Conexxus.
Bucolo pointed out that in the initial phase, the Small Merchant Taskforce worked to segment processing methods into individual risk categories and identified the threats most likely to be associated with each category; for example, POS systems versus standalone devices.
"This year we will be releasing Data Security Essentials for what we call low- to medium-risk scenarios, meaning that in certain high-risk scenarios, we still think an SAQ (self-assessment questionnaire) is appropriate, but we are going to let the acquirers and card brands make a determination if they want to offer those as alternatives to SAQs," Bucolo noted.
He believes, with the consolidation of concepts and fewer questions, every effort is being made to simplify PCI compliance based on risk. According to Leach, the current framework details approximately 17 small merchant payment environment security scenarios; the next iteration will include additional ecommerce scenarios.
"We're putting the categories of security controls into better organization in preparation for a future release of the Data Security Essentials validation framework," Leach said. The framework is expected to be released later this year.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.