Doug Klotnia, Trustwave
Doug Klotnia, Trustwave

The PCI Security Standards Council (PCI SSC) recently released highlights of the widely anticipated PCI DSS 3.0 requirements.

Businesses that store, process or transmit cardholder data must follow the requirements to better protect their customers' information from being stolen by criminals.

I commend the PCI SSC for encouraging organizations to take security seriously and was pleased to see that the highlights included fundamental security baselines. However, I would like to see some additional changes addressing risk assessments, penetration testing and mobile security.

As revealed in the "2013 Trustwave Global Security Report," most of the compromises we have investigated in 2012 used a common attack sequence that included infiltration, propagation, aggregation and exfiltration. This sequence can be disrupted if companies implement a multi-layered security strategy.

The proposed changes in PCI DSS 3.0 begin to address this by including new requirements for PoS (point-of-sale) terminals, service providers and segmentation effectiveness. However, there still needs to be more focus on emerging threats and risk-based security.

I would like to see more enforceable language related to the risk assessment requirements. Risk assessment programs enable timely identification and response to emerging threats and changing business realities, such as mobile technologies, bring-your-own-device (BYOD) adoption and cloud services. The PCI DSS requirements related to risk assessment should include more details about identifying a risk assessment team and methodology, providing an ongoing risk treatment plan, and should include requirements for industry-qualified personnel to perform the risk assessments.

The requirements should also clarify who should be responsible for signing off on the assessment findings and setting the organizations' risk acceptance level and appetite.

As technology changes so rapidly, the frequency of risk assessments should be increased to quarterly and/or before significant changes occur. As well, PCI DSS 3.0 should include a greater focus on penetration testing. Organizations should be required to perform penetration tests, either by an in-house ethical hacker or a third party that simulates known attack techniques (such as infiltration, propagation, aggregation and exfiltration).

Penetration tests comprehensively evaluate an organization's ability to prevent, detect and respond to an attack so that organizations can identify where they need to make improvements in their security.

Finally, the new requirements should better address mobile security/BYOD. The Trustwave report noted that mobile malware increased by 400 percent in 2012. Organizations should be required to designate a certified security expert to specifically focus on mobile security, and the scope needs to be properly defined for the entire process. As the BYOD trend continues, the PCI community must make mobile security a top priority, beginning with an industry standard methodology and framework.