In the wake of Home Depot’s massive security breach, the PCI Security Standards Council is creating some change this year by updating within its Data Security Standard with PCI DSS version 3.0. This new version, however, was already in the works. The payments industry can only hope that new standards will keep such breaches from happening and millions of consumers will avert such exposure again.
Compliance with this migration is expected by the end of 2014, explains Mo Rosen, COO of Xceedium. Though many organizations have already started migrating from v2.0 to v3.0, all will be required to comply with the new standard by the end of 2014.
“Though the core 12 security requirements remain the same, PCI DSS v3.0 includes a significant number of evolving sub-requirements not mandated by its predecessor,” says Rosen. “To gauge the scope of the change, v3.0 introduces ‘20 Evolving Requirements,’ defined as changes to ensure that the standards are up to date with emerging threats and changes in the market,” he says. As a comparison, the previous change from v1.21 to v2.0 introduced just two evolving requirements. “These changes are, simply put, the most basic best practices available in the market today. As a security professional, these changes mean putting security back into compliance – it’s a good thing.”
The two broad categories that the updates fall into include some new requirements with clarifications to, or additional guidance on existing requirements to help organizations better understand intent or provide direction on how best to meet the requirements, says Rob Sadowski, director of technology solutions at RSA.
In addition to helping organizations keep up with the evolving threat landscape and changing technology infrastructure, the Council’s overall goal with the changes in 3.0 is to help make complying with the DSS part of their normal business processes and not just a point-in-time event, says Sadowski. “It also will drive more consistency in the DSS compliance assessments being done by auditors (QSAs) by providing specific assessment procedures,” he adds.
Overall, v3 will help IT security pros in advancing the overall protection of their organizations, says Charles Danley, senior compliance engineer at FireMon. “The updated and new security controls are greatly improved and guidance now looks to ensure security is built into the business process for day-to-day operations, which people have often cited as a shortcoming of previous iterations of the standard,” he says. “In this sense, pursuing compliance will track more closely with the core goals of operational security, which is the right direction.”
Other experts point to the require that organizations rethink data protection along the lines of both security and compliance, instead of just compliance. “As the PCI Council points out, the end goal is about protecting sensitive information, not just doing the bare minimum to pass an annual compliance audit, says Bob West, chief trust officer at CipherCloud. “This will require companies to reassess their current protection strategy and then address any gaps.”
West says that at a high level, v3.0 from last November addressed defined shared responsibility for data protection, a relevant topic to help create security structure for the shared nature of cloud, and implemented password education and point-of-sale (POS) security training, which is particularly relevant given the string of POS breaches. The August 2014 updates focus on risk assessment to drive more effective security in addition to the compliance that the payment industry looks to PCI DSS to provide.
As a result, retailers, card processors and others in the payment supply chain will need to invest more in threat monitoring, detection and response, West explains. These recommendations, and the high-profile card breaches over the past nine months, make a strong argument for payment industry companies to incorporate these technologies into their existing set of security solutions.
One notable implication of the new standards is more transparency between service providers and merchants, says Gregory Rosenberg, a security engineer with Trustwave.
“Third-party service providers – any businesses that interacts with cardholder information – will need to articulate what aspects of the compliance process they are going to fulfill,” he says. In the past, he explains, merchants simply had to list their service providers as part of the compliance process. The service provider had to verify in writing that they were taking steps to protect customers’ cardholder data and doing their due diligence in being in compliance. The problem was that the merchant didn’t really know what security measures, if any, the service providers were taking.
“Service providers can be negligent when it comes to security, i.e., using weak passwords for remote access into the merchants’ PoS systems,” says Rosenberg. Under the new requirement, service providers need to openly articulate what security measures they are putting in place as part of the compliance process. This change opens the lines of communication between the merchant and third-party service provider so that both parties are aware of what each is doing to maintain compliance with the PCI DSS standard, he says.
“Service providers can be negligent when it comes to security.”
– Gregory Rosenberg, security engineer, Trustwave
However, for most merchants with a mature PCI and security program, v3.0 isn’t a huge leap, according to Peter Chronos, chief security officer with Earthlink, an IT services, network and communications provider headquartered in Atlanta. He points out that merchants who have viewed passing an annual PCI audit as the single measure of success for their security program will struggle. “The aim of the new standards is to challenge merchants to move beyond compliance and adopt a security posture that evolves over time,” he says.
Particularly, requirement changes in section 8 – 8.2.3, 8.5.1 and 8.6 – are designed to enhance password security and remove an easy attack vector that has been exploited for years. “Requirement 12.8.5 now mandates that merchants and service providers must maintain documentation that clearly outlines which party is responsible for each DSS requirement,” Chronos says. “This change takes away the scope and responsibility guesswork when merchants partner with a service provider to manage their IT and network infrastructure.”
The challenge accompanying new mandates like this, specifically for third-party relationships, is one of scale as most companies today have hundreds, if not thousands, of third-party suppliers, says Stephen Boyer, CTO and co-founder of BitSight Technologies.
“Certainly not all of these are tied to the payment industry, but in our experience the standards implemented for the PCI-specific parts of a business help to inform the overall security practice for the organization,” he says. “The good news is that the use of security ratings and other disciplines help to mitigate the challenge of scale and implement a ‘tiered due diligence program’ as suggested by section 3.3.”
Xceedium’s Rosen agrees. “Rather than simply complying with standards, organizations need to proactively address cyber threats by implementing privileged identity management. Organizations need to establish a zero trust privileged identity management model inclusive of two-factor authentication that contains, controls, alerts, monitors and audits to proactively mitigate risk.”
With the hangover of Home Depot looming over the industry, we shall see how effective the new security standards help to proactively mitigate such risk.