In the wake of Home Depot's massive security breach, the PCI Security Standards Council is creating some change this year by updating within its Data Security Standard with PCI DSS version 3.0. This new version, however, was already in the works. The payments industry can only hope that new standards will keep such breaches from happening and millions of consumers will avert such exposure again.
Compliance with this migration is expected by the end of 2014, explains Mo Rosen, COO of Xceedium. Though many organizations have already started migrating from v2.0 to v3.0, all will be required to comply with the new standard by the end of 2014.
“Though the core 12 security requirements remain the same, PCI DSS v3.0 includes a significant number of evolving sub-requirements not mandated by its predecessor,” says Rosen. “To gauge the scope of the change, v3.0 introduces ‘20 Evolving Requirements,' defined as changes to ensure that the standards are up to date with emerging threats and changes in the market,” he says. As a comparison, the previous change from v1.21 to v2.0 introduced just two evolving requirements. “These changes are, simply put, the most basic best practices available in the market today. As a security professional, these changes mean putting security back into compliance – it's a good thing.”
The two broad categories that the updates fall into include some new requirements with clarifications to, or additional guidance on existing requirements to help organizations better understand intent or provide direction on how best to meet the requirements, says Rob Sadowski, director of technology solutions at RSA.
In addition to helping organizations keep up with the evolving threat landscape and changing technology infrastructure, the Council's overall goal with the changes in 3.0 is to help make complying with the DSS part of their normal business processes and not just a point-in-time event, says Sadowski. “It also will drive more consistency in the DSS compliance assessments being done by auditors (QSAs) by providing specific assessment procedures,” he adds.
Overall, v3 will help IT security pros in advancing the overall protection of their organizations, says Charles Danley, senior compliance engineer at FireMon. “The updated and new security controls are greatly improved and guidance now looks to ensure security is built into the business process for day-to-day operations, which people have often cited as a shortcoming of previous iterations of the standard,” he says. “In this sense, pursuing compliance will track more closely with the core goals of operational security, which is the right direction.”
Other experts point to the require that organizations rethink data protection along the lines of both security and compliance, instead of just compliance. “As the PCI Council points out, the end goal is about protecting sensitive information, not just doing the bare minimum to pass an annual compliance audit, says Bob West, chief trust officer at CipherCloud. “This will require companies to reassess their current protection strategy and then address any gaps.”
West says that at a high level, v3.0 from last November addressed defined shared responsibility for data protection, a relevant topic to help create security structure for the shared nature of cloud, and implemented password education and point-of-sale (POS) security training, which is particularly relevant given the string of POS breaches. The August 2014 updates focus on risk assessment to drive more effective security in addition to the compliance that the payment industry looks to PCI DSS to provide.
As a result, retailers, card processors and others in the payment supply chain will need to invest more in threat monitoring, detection and response, West explains. These recommendations, and the high-profile card breaches over the past nine months, make a strong argument for payment industry companies to incorporate these technologies into their existing set of security solutions.
One notable implication of the new standards is more transparency between service providers and merchants, says Gregory Rosenberg, a security engineer with Trustwave.