From my perspective, 2010 has been a critical year for global payment card security efforts that may ultimately result in a significant reduction in future payment card fraud levels.Despite the fact that the criminal element is working harder than ever to thwart all manner of data security safeguards, I believe that, based on our most recent PCI Security Standards Council Community Meetings, the marketplace is nearing a critical mass of security professionals who are united globally around the single issue of payment card data protection. People are “thinking securely,” and are acting on those thoughts.
The sheer number of conference attendees (which was unprecedented in number with more than 1,500 people participating) and the quality of their discussions, confirm that the mindset and attitudes among security professionals have clearly shifted from a reactive, ‘check-the-box' mentality to recognition that the security and the protection of payment card data is a critical business necessity that needs proactive and rigorous review.Let's look at some of the major developments that have occurred this year, which I believe have helped contribute to this growing evolution among security professionals.
As anyone who has been to a carder site can attest, your card data is at risk. The simple fact is that the bad guys want money, and rather than rob a bank, they are going after data in your organization that they can easily turn into money. The three PCI Security Standards are the best baseline protection for securing that data. Now, with the release of the newest versions of the Payment Transaction Security (PTS) requirements, the Data Security Standard (DSS) and Payment Application Data Security Standard (PA-DSS) this year, we are making it even easier for you to make sure you have the proper security controls in place to protect cardholder information. To help facilitate this, the Council has implemented greater alignment between these standards. This “togetherness” helps unite security thinkers in protecting the entire payment process and moves us closer to a more holistic model of security. These changes are not only written within the standards themselves, but are also reinforced by synching the three together in their development process. Together, these are the tools we are giving you to defend against threats.
With the release of the DSS and PA-DSS in the fall, these now join PTS on a three-year lifecycle for development. What this means for you is that now you have more time to understand the standard, more time to put together and implement your security strategy, and more time for us to get your feedback on payment security threats, challenges and successes.
This doesn't mean we just develop a standard every three years and then we go dormant. Now, we have a process in place to ensure that we react to off-cycle threats, if necessary. This ongoing evaluation includes the Council's investigations into certain technologies and how they may affect your card data environment. Similar to the guidance we issued in the fall of 2010 on EMV implementations and the roadmap we have provided for further study on point-to-point encryption, future guidance will aid organizations in understanding how these technologies define or reshape the cardholder data environment. You've asked for more guidance on virtualization and tokenization, among other items, and together with your collaboration, we are working on these items to ensure that these deliverables reflect broad market input and provide the information that's most useful to our stakeholders. You asked, we listened and acted, forming special interest groups (SIGs) of industry experts – you and your peers - to examine these technologies in greater detail. These are additional tools to aid you in “thinking securely.” This guidance will help you better understand how these technologies may affect your security and compliance programs.With your input and participation, we are able to better understand what merchants need and how together we can be more effective in securing cardholder data. One of the things we heard from you is that more time was needed to implement the new standards. By introducing the three-year lifecycle, stakeholders now have additional time to understand and transition to the updated version of the standards and provide feedback through the process. While version 2.0 becomes effective on Jan. 1, 2011, validation against the previous version of the standard (1.2.1) will be allowed until Dec. 31, 2011. However, the Council encourages organizations to implement the updated version as soon as possible. From Jan. 1, 2012 and moving forward, all assessments must be under version 2.0 of the standards. This new timeline should benefit us all.
“Thinking securely” spreads globally
Finally, if we are to be successful in protecting cardholder data, we have to get better about educating small- and medium-sized businesses on the concept of “thinking securely.” Broad buy-in to this philosophy will help change the landscape moving forward. To help enable this, we have made several changes to the standards, the self-assessment questionnaire process they use and available resources to assist small businesses in addressing the important issue of card data security. We also launched a new small merchant website, which has custom materials and documents specifically crafted to their unique needs. This is similar to the educational efforts we undertook when we built a website in eight languages to provide as much information as possible, in your native tongue.
Remember, “thinking securely” isn't an enterprise, small business or regional issue. “Thinking securely” is a business necessity, and one that is increasingly being recognized across the globe. With more of you joining the ranks of those organizations following this philosophy, what we have accomplished together in 2010 will go a long way to protecting card holder data in the future.
Photo by Matt Greenslade