Greg Rosenberg, security engineer, Trustwave
Greg Rosenberg, security engineer, Trustwave

The spate of payment card breaches during the past year has left businesses and consumers asking, “What's the problem?” The number of breaches, amount of records and types of records stolen has been climbing at a rapid pace. Regulators and industry stakeholders have turned some of their focus to the Payment Card Industry Data Security Standard (PCI DSS) to determine if any fault lies within the standard itself or how it is enforced. However, those who seek to hold the PCI DSS primarily at fault fail to understand how it is created and ultimately used in practice. 

The standard works on a three year rolling period. The new version of the standard-PCI 3.0-was released in November 2013. Starting January 1, 2014, organizations could choose to either use version 2.0 (the current iteration) or 3.0. Beginning January 1, 2015, all organizations must use version 3.0.

The drafting process for the new version of the standard started in November 2012. Layer this lag in time on top of the fact that many organizations view compliance as an annual activity where they want to “check the box” as inexpensively and expediently as possible, one may reasonably conclude that being PCI DSS compliant does not necessarily mean that a merchant is addressing and protecting against the most recent risks. 

Also, the PCI DSS was not designed to ensure an organization is completely secure. It was architected to provide a baseline for security.  It is incumbent that organizations understand their risk profile first, address any shortcomings and then see where (if any) compliance gaps remain. With this in mind, there are some targeted changes in the new version of the standard that bear mention:

  1. Third party service providers have new obligations under the PCI DSS. Most notably, they will need to clearly articulate which PCI DSS controls they are addressing and which are left to the merchant. Too many service providers have sold their products and services under the guise that they are compliant. What many merchants have interpreted this to mean is that they themselves have no responsibility to address PCI DSS. This new transparency should help merchants make more informed decisions about the true cost for outsourced solutions and how liability may be impacted. Additionally, service providers will now be required to have unique passwords for each merchant they remotely manage and use two-factor authentication. Hackers have exploited weaknesses in remote access as a stepping-stone to break into a business and repeat their break-ins across other businesses. The ability to repeat the same attack sequence many times over is enticing to hackers since it is an efficient means to gather a maximum amount of sensitive information.

  2. Some e-commerce merchants that re-direct their customers to a third party for payment card collection will now have their web environments scrutinized - even if their web servers and applications never touch a credit card number. According to our Trustwave Global Security Report, e-commerce attacks made up 54 percent of assets targeted in 2013 so any requirement that helps strengthen security across these kinds of merchants helps.
  3. Penetration testing requirements must now follow a formal methodology. Penetration testing is a powerful tool where merchants can simulate an attack based on seemingly innocuous vulnerabilities. Unfortunately, the check-box mentality has led to the use of inadequate tools as well as personnel that lack the wherewithal to put together a reasonable attack scenario and make the necessary recommendations as a result. Penetration testing will be required for all merchants that segment their environment to reduce scope-even those who self-assess under the shorter self-assessment questionnaires and have never conducted penetration tests before.

The changes should help businesses stay ahead of the criminals – especially since they require more support from various parties that have not faced these requirements in the past.  

The primary challenge to secure payment card data is that too many involved see the PCI DSS as a panacea for every risk in the marketplace. The standard is a starting point for payment card security. Businesses should also implement a layered security strategy that includes technologies, services such as regular vulnerability scanning and penetration testing, and make sure they have enough manpower and skillsets to update, monitor and manage their controls.