The PCI Data Security Standard is now 10 years old—and throughout its lifespan, the collection of security measures for credit card transactions has had no shortage of critics.
Some say the PCI-DSS is too stringent and costly; others say it falls short of its security goals. With the latest PCI-DSS version going into effect Jan. 1, its creators are trying to address the latter concerns by forcing companies to take a risk management approach to credit card security that reaches beyond the IT department.
PCI-DSS Version 3.0 introduces 110 new requirements, a 27 percent jump to a grand total of nearly 520 stipulations. Its detractors say the standard—first presented in the 2000s as a collection of best practices supported by American Express, Discover, JCB International, MasterCard, and Visa—has devolved into a check-the-box exercise. To counter that perception, Version 3.0 pushes merchants, banks, and processors using it to embed its security principles into their operations much more, and to consider data security part of business as usual.
“There are a still a large number of organizations that look at PCI DSS as just a compliance obligation with point-in-time assessments,” says Christopher Avery, a data security expert with the law firm Davis Wright Tremaine. “That’s not to say that PCI is not important, but they put it to the side until one of the annual attestation windows approaches.”
Among the requirements of the new PCI DSS standard:
Building and maintaining a secure network using firewalls to protect cardholder data, and ensuring that vendor-supplied defaults for system passwords and other security parameters are not used.
Protecting cardholder data and encrypting its transmission across open, public networks.
Maintaining a vulnerability management program with secure systems and applications, plus regular updates to anti-virus software and programs.
Implementing strong access control measures by restricting access to cardholder data (both electronic and physical) on a “need to know” basis.
Regularly monitoring and testing networks and tracking all access to cardholder data.
Maintaining an information security policy that addresses information security for all personnel.
The standard also requires ongoing risk assessments to spot potential vulnerabilities and periodic vulnerability tests, where an in-house expert or third party plays the role of a hacker and tries to break into the system. Testing and risk assessment is also required for payment card-swipe terminals used in card-present transactions at the point of sale. (Card-swipe terminals were how hackers executed their massive data theft against Target last year.) In addition to periodic inspections for signs of tampering, the personnel who use card-swipe terminals must be trained in how to protect them against unauthorized use.
“There are a still a large number of organizations that look at PCI DSS as just a compliance obligation with point-in-time-assessments. That’s not to say that PCI is not important, but they put it to the side until one of the annual attestation windows approaches.”
Christopher Avery, Data Security Expert, Davis Wright Tremaine
“There is a renewed focus on the relationship among service providers,” Avery says. “There has always, historically, been some tension there with respect to who is responsible for what and who does what. Under Version 3.0 there are structural changes that make a clearer delineation of who is responsible for what.” Those responsibilities must be documented among merchants and service providers with a written agreement.
The push for a continuous approach to security testing should prod participants, many of them reeling from the wave of breaches and hacker attacks of 2014, to “move the ball forward,” Avery says. “More organizations will recognize that an annual compliance attestation does not in and of itself make you more secure. It is really what your organization is doing the other 364 days of the year that matter.”
Let’s Get Continuous
Pushing the industry mindset from yearly reviews to daily risk management may be easier said than done, and recent research shows the amount of work that remains. Verizon’s “2014 PCI Compliance Report” found that nearly 90 percent of business failed their baseline compliance tests under the less stringent PCI-DSS Version 2.0.
A BETTER APPROACH TO PCI COMPLIANCE
The following, an excerpt from Verizon’s 2014 “PCI Compliance Report,” offers suggestions on how to improve the security of credit card data by improving compliance programs.
Don’t Underestimate the Effort Involved
The overwhelming majority of organizations that initiate a PCI program for the first time fail to fully appreciate the impact it will have on their organization, in terms of its scope, the resources, and the time it requires.
If you conduct a business impact analysis—prior to gap analysis and remediation projects—you’ll get a very clear view on the impact that a PCI compliance program will have on your business. This will enable you to estimate the amount of effort required to reach compliance; in virtually all cases this is very accurate. With this calculated forecast, your CISO can confidently set to work on tackling two of the most common pitfalls we see: securing a board-level sponsor, and securing budget.
Make Compliance Sustainable
An increasing number of organizations are starting to realize that treating compliance as an annual fire drill is not only expensive and disruptive, but that doing so leaves them more vulnerable to non-compliance and data breaches. Compliance maintenance must be an ongoing, long-term, sustainable program that’s fully integrated into the day-to-day activities of the organization — “business as usual.”
Think of Compliance in a Wider Context
You shouldn’t treat PCI Security as a blueprint for security or a checklist of everything you need to do. The catalog of controls is not sufficient to adequately protect any organization, of any size, in any sector—the same set of controls applies to the smallest café and the largest payment processor. PCI DSS should be seen as a set of minimum standards.
Just as PCI compliance is best managed by integrating it into wider organizational processes, it’s also most effective when integrated into a wider security program, drawing on other tools, approaches and best practices to simplify compliance and complement its controls. DSS 3.0 includes references throughout to external standards and frameworks from the U.S. National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO), and other bodies that you should use alongside the DSS to build an effective control system for protecting all your data and systems.
A survey released in December by Proficio, a provider of managed security services, looked at Version 3.0 readiness. Despite more than a year-long ramp-up, less than half of respondents were ready to meet the requirements. When asked what the biggest challenges were, the most common responses were: ensuring service providers meet new requirements; the increased requirement for security monitoring; and completing risk-assessment and penetration tests.
“We still come across organizations today that have never attained PCI compliance from Day 1,” says William Klusovsky of NTT Com Security, a Boston-based computer and network security firm.
“Organizations that continue to say PCI is just a compliance obligation or a point-in-time attestation requirement will continue to chafe against the standard,” Avery says. “You can’t be really successful and have smooth implementation until you start to think about this more broadly, like you would any other business problem, business challenge, or product rollout.”
As often happens, businesses will likely continue to be either well in front of the challenge or well behind it, without much middle ground. Those who have continuous risk management “as a state of mind” aren’t gong to have too much of an issue with the work necessary to adopt Version 3.0, Klusovsky says.
Those still struggling to comply with the basics are the ones who will have a hard time. Success will hinge on changing the payment industry’s mindset from a focus on technology, to one centered around risk mitigation. “If you don’t know what your risks are, you’re just crossing your fingers and hoping you are buying the right tools and investing in the right people and processes,” he says.
The new PCI standards may help define some standard terminology and processes that businesses haven’t understood very well. “We constantly see people ask for a ‘gap assessment,’ and not have a policy that they wanted us to assess against,” Klusovsky says. “They were really asking for a risk assessment. Or, we have people ask for a risk assessment and they were really asking for is a penetration test.”
“Organizations are realizing they don’t have a framework to operate against,” he adds. “They don’t have ISO 27001 or NIST,” two frameworks designed for IT security. “They have some written policies, and that’s it. A lot of organizations are realizing they need to be strategic about this.”
Although the PCI Security Standards Council can impose fines for non-compliance, reputation and brand damage should be an even greater concern for the companies covered by the framework, Avery says. Whether or not data theft is the fault of a vendor or service provider hardly matters, because “it’s still your name on the side of the building, your customers have a relationship with you, and [they] will think it is you.”
Avery’s takeaway: Information security risk management is a business issue, not an IT issue. “When a breach happens, it isn’t the firewall engineer who loses his job, it is the CEO or CIO,” he says.
“Businesses are pretty adept at managing risk,” he adds. “That is what executive teams do, and this is no different. It is just a different type of risk.”