Jody Brazil, CEO at FireMon, discusses the new challenges faced by organisations handling payment card data when it comes to complying with the updated PCI 3.0 standard.
Following yet another year of high-profile security breaches and resulting payment card data theft it seems only logical to question whether existing security standards, most notably the Payment Card Industry Data Security Standard (PCI DSS), can be expected to effectively protect consumers’ sensitive financial information.
Developed by the leading names of the payment card world, PCI DSS is meant to provide a baseline for security processes to help the many organisations that handle credit and debit cards protect their customers’ account data. Having been launched a decade ago, PCI DSS has clearly not served to prevent security incidents in general, and some might argue defensibly that over that time frame the data breach landscape has only worsened.
However, much like the changing nature of today’s electronic attacks, the standard itself continues to evolve in an effort to help organisations improve their defences.
As of 1 January 2015, all organisations that store, process or transmit payment card information will be required to comply with the latest iteration of the standard, PCI DSS 3.0. On that basis, let’s outline and explain some of the primary changes found in ‘PCI 3.0’, in particular around the increased requirement to analyse and validate compliance on a more ‘continuous’ basis.
Key changes in PCI 3.0
At its core, PCI DSS is a global standard designed to help organisations process credit, debit and cash card payments securely while reducing related account fraud.
Comprised of a widely accepted set of Best Practices intended to optimise the security of transactions and thereby protect against misuse of personal information, the updated PCI 3.0 standard seeks to introduce tighter controls surrounding the storage, transmission and processing of card holder data while also offering greater protection against potential threats.
Based on feedback received from organisations across the payment card ecosystem – with reference to current trends – changes to the earlier PCI 2.0 standard encourage organisations to take a more proactive approach in protecting card holder data. In particular, PCI 3.0 aims to shift its overall focus more squarely on matters of security management, not the process of merely achieving or maintaining compliance.
In general, PCI 3.0 is best characterised as a set of clarifications and detailed recommendations regarding existing requirements versus a sea change, but greater clarification around what security controls to assess and the evidence required to ensure those controls remain in place is a logical place to start.
For example, the standard’s goal of ensuring that security is further entrenched into business processes as a day-to-day operation, rather than addressed to pass a compliance audit, makes a lot of sense. Perhaps even more so than any other specific requirements listed below, this demand to adopt ‘continuous compliance’ methodologies marks a critical advancement put forward in PCI 3.0.
The increased emphasis on continuous compliance should not only allow organisations to avoid the ‘mad scramble’ often experienced when preparing to undergo PCI audits, but also improve security management on an ongoing basis, which of course remains the actual goal of PCI DSS in the first place.
More importantly, moving to implement continuous assessment of critical security controls including network security device (firewall) infrastructure will actually help organisations better cope with the increasing complexity and ongoing change inherent within today’s real-world environments.
Of course, there are significant implications of working to embrace continuous assessment, with PCI 3.0 requiring more labour to support the expanded requirements, in particular related to network monitoring, organisational security awareness and security education. However, as organisations seek methods to address the shortage of additional resources available when assessing expanded PCI compliance requirements, automation will serve a key role in working to meet these new demands.
Specific PCI 3.0 requirements
As is the case with any industry standards update, there are specific requirements added in PCI 3.0.
*More stringent penetration testing
When conducting penetration tests, merchants or any third parties performing this analysis must now adhere to an industry standard framework which mandates ‘tester independence’ (meaning the person who tests the system cannot be the same individual who manages or administers the system).
In general, penetration testing can be a very fragmented process, differing from one organisation to another so, by invoking a more consistent approach, this process should become more effective.
*All e-commerce merchants must comply
All e-commerce merchants will now be required to fill out a PCI self-assessment questionnaire, fulfil penetration testing and vulnerability scanning requirements and complete all other aspects of the compliance process, even if they don’t directly transmit card holder data.
*Point-of-Sale system reviews
News of breaches at retailers such as Target and Staples related to Point-of-Sale device infrastructure has prompted increased attention on these systems. Under PCI 3.0, point-of-sale devices must now be inspected on a regular basis to make sure that they have not been infected.
Consequences of not being fully compliant
Those organisations that cannot comply fully with PCI 3.0 will face a number of consequences, including fines from members of the Payment Card Industry (such as MasterCard and Visa).
In the case of a breach incident, such measures are also bound to reflect badly on the reputation of the organisation in question with the potential for additional negative press as the result of a fine and, therefore, even greater reputational damage.
Why are the changes being made?
Following feedback from the industry related to current market needs, some of the most common challenges and drivers for change prompting the introduction of PCI 3.0 include:
*Lack of education and awareness
The lack of education and awareness surrounding payment card security, coupled with poor implementation and maintenance of PCI standards may contribute to the rise in number and severity of today’s security breaches.
Changes in PCI 3.0 are geared towards helping organisations better understand how to properly implement and maintain the necessary security controls across their business.
*Weak passwords and authentication
In order to meet the new requirements of PCI 3.0, there’s a renewed focus and added flexibility on areas that in the past have led to incidents of card holder data being compromised, such as weak passwords and authentication methods and poor self-detection of such attacks.
*Third party security challenges
*Slow self-detection of data breaches
*Inconsistency in assessments
The increasing complexity of today’s payment environment with the sharp increase in mobile and online payments in addition to traditional Point of Sale outlets has created the range of potential attack vectors for card holder data. The changes introduced with PCI 3.0 focus on helping organisations understand all their responsibilities when working with business partners to ensure card holder data security on disparate networks, fixed and mobile devices.
How to comply with PCI 3.0
With the changes to PCI DSS effective as of 1 January 2015, there are a number of areas that organisations and third party providers must address in order to demonstrate compliance with PCI 3.0. Here are some direct steps that must be taken:
- Start by reviewing security considerations within business processes
- Ensure that controls are in place, that they’re accurate and adhere to the standards
- Establish a clear understanding of any changes that must be implemented
- Validate that the organisation meets all new and required standards
- Move to implement and advance more continuous security monitoring
All-in-all, the updated PCI 3.0 standard should help organisations become more aware of the risks they face related to payment card data stored, processed or transmitted on their networks. By further instilling the concept and practice of continuous assessment into security management practices, organisations should find that the protection of such data can be more effectively monitored, in turn reducing the likelihood, level and frequency of related data breaches.
Although PCI 3.0 does increase the overall compliance workload, this time can be offset by adopting automated solutions to address challenging tasks such as analysis of network security infrastructure to identify and address underlying risks.
Leveraging such automation not only helps streamline compliance auditing and validates that existing processes and policies are being maintained efficiently, but it also allows organisations to cover more ground with existing staff.
Using this example, PCI 3.0 should at the very least accomplish its overriding goal of re-focusing efforts from merely achieving compliance to improving IT security.