Next month (November 7) the PCI Security Standards Council (PCI SSC), the forum for the development of payment card security standards, will publish publish the next generation of the PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS), V3.0. “Today, most organizations have a good understanding of PCI DSS and its importance in securing card data, but implementation and maintenance remains a struggle – especially in light of increasingly complex business and technology environments,” said Bob Russo, PCI SSC general manager.
“PCI DSS and PA-DSS 3.0 will provide organizations the framework for assessing the risk involved with technologies and platforms and the flexibility to apply these principles to their unique payment and business environments, such as e-commerce, mobile acceptance or cloud computing,” added Troy Leach, PCI SSC chief technology officer.
The proposed updates include:
-recommendations on making PCI DSS business-as-usual and best practices for maintaining ongoing PCI DSS compliance;
-security policy and operational procedures built into each requirement;
-guidance for all requirements with content from Navigating PCI DSS Guide;
-increased flexibility and education around password strength and complexity;
-new requirements for point-of-sale terminal security;
-more robust requirements for penetration testing and validating segmentation;
-considerations for cardholder data in memory;
-enhanced testing procedures to clarify the level of validation expected for each requirement; and,
-expanded software development lifecycle security requirements for PA-DSS application vendors, including threat modeling.
A number of experts believe that with 3.0 the council is baking in more provisions to move the exercise of PCI compliance beyond point-in-time, check-box activities into continuous compliance and, eventually, more mature risk management practices. However, another concern is that while tens of thousands of companies must abide by the standards, many businesses do the minimum necessary to comply with the rules.
The update is still to be finalized, but there are already concerns circulating about it. IT Trends & Analysis recently spoke with Agiliance, a provider of risk management solutions for governance and security, and SSH Communications Security, inventors of the SSH protocol for data-in-transit security solutions. Both companies expressed concerns about V3.0, and offered suggestions for V4.0.
“PCI for us and for our customers is one of the meatiest regulations out there, far more detailed than many out there,” said Torsten George, VP Worldwide Marketing, Products, and Support at Agiliance. The standard has evolved from a compliance to a risk-based approach to security, but the upcoming release still isn’t doing enough to address past vulnerabilities and threats, he said.
If you can’t identify vulnerabilities and threats, you can’t align resources and prioritize actions accordingly. The sheer volume of data has become a huge problem for government and financial services, but also retail and high-tech, said George.
In a typical environment with 3-4 different security systems, they produce 3,000 pages of vulnerabilities a week, which then go into a black hole. “If I have limited resources, I should focus on things that have a real impact on my organization.
George referred to one government customer that hired 60 people to enter 180,000 problem tickets a month. They couldn’t handle it, so they hired Agiliance.
However, while vulnerabilities and threats – and business continuity – are big concerns with the new standard, the biggest is mobility, he said. The mobile environment is a really big, big thing in everything, including payments, said George.
There is another gaping hole in the proposed standard, said SSH CEO Tatu Ylönen, inventor of the SSH Protocol. “We’re finding 80-90% of accesses happening on a daily basis are automated and its clear to me you cannot ignore this.”
Nowhere does the specification mention that automated access should be addressed, said Ylönen, nor does it really mention machine to machine access, which he believes accounts for at least 80% of security key access. “That’s a major concern for me.”
He said one banking customer has 2 million daily log ins, but only has 100,000 employees. “If you think of information and security, it starts with who can access what systems and what data. It’s all about access, and any amount of access you cannot associate with a known person or process is a problem in a production environment.”
Given that PCI Council has moved to a three-year update cycle, it could be another 5-7 years before this gets dealt with. “I don’t think we can wait another 5 years to address this.”
George said the situation is not as dire as it might seem. There are a lot of formal and informal meetings taking place on a regular basis. “In reality, you will change your practices before these new standards come out.”