New security standard for CHAPS who have your CREDIT CARD data

Did you know small merchants can self-assess? Read on for more shockers

Secure remote control for conventional and virtual desktops

A new version of the PCI-DSS payment card industry standard was published yesterday, and is due to come into effect at the start of January.

The new rules place a greater emphasis on promoting improved security rather than complying with pre-set rules.

PCI DSS 3.0 is designed to "help organisations take a proactive approach to protect cardholder data that focuses on security, not compliance", according to the PCI Security Standards Council*.

The key aim of PCI DSS 3.0 is to change merchants’ "mentality", so that good compliance disciplines are adopted operationally as part of their normal business practices rather than treated as a hurdle to get over every year – like taking a car for an annual MOT (government traffic inspection) test.

Many infosec pros have historically criticised PCI as simply offering a minimal security baseline, containing such advice as "use an antivirus" and "protect cardholder data", rather than adopting a more risk- or business-focused approach.

A common finding to emerge from analysis of data breaches among merchants is that although they are often compliant at the time of their annual PCI DSS assessment, they are no longer compliant at the time of the data breach.

According to SureCloud, a UK-based provider of cloud-based IT governance services, many e-commerce merchants choose a “cram for the exam” approach that focuses only on being ready for the day of the assessment.

"Often, PCI DSS compliance is treated a bit like the annual MOT on your car," explained Richard Hibbert, chief exec of SureCloud. "You only fix the issues needed to pass the test instead of taking good care of your car all year round."

PCI DSS specifies the "security rules" under which merchants and banks are supposed to process credit card transactions. Merchants are obliged to adopt the standard if they don't want to face higher card processing fees in general and tougher fines in the case of problems. Continual non-compliance by merchants can result in payment processors pulling the plug on e-commerce outfits, leaving businesses without the ability to take e-commerce payments. The standard was placed on a three-year refresh cycle back in 2011.

Small merchants can self-assess

Compliance for small merchants can be achieved through self-assessment but larger outfits are obliged to hire independent Qualified Security Assessor to run independent audits, a potentially costly exercise.

Transforming PCI DSS from an assessment-centric activity to a security programme would represent a major sea change. In addition, the latest version of the guidelines aim to a greeter emphasis on the importance of staff security training

Tightening up poor password security practices is among the key objectives of the revised standard. The PCI DSS update clarifies the importance of changing default passwords for application/service accounts, as well as user accounts, to address gaps in basic password security practices that are leading to compromises.

Matt Middleton-Leal, regional director for UK & Ireland at security tools firm CyberArk, commented: “It’s extremely encouraging that the latest revision of PCI DSS is moving away from focusing solely on compliance, and moving towards best-practice security.

"As we continue to see privileged account credentials and passwords as primary targets in almost all major breaches, it’s great that this latest version of the standard is taking steps towards addressing this crucial part of the problem."

Biz bods will have to change password policy... Are you also praying your local grocer doesn't use 123456?

“The proposed changes state that revised password policies should include guidance on ‘choosing strong passwords, protecting their credentials, changing passwords on suspicion of compromise’.  While this is certainly a step in the right direction, I would argue that we need to go further in order to adequately protect these extremely powerful credentials.

"Rather than waiting for suspicious activity before taking action, organisations should arm themselves with the best possible defence by establishing a centrally managed privileged account security policy.  This will allow organisations to determine how regularly passwords need to be changed and can allow users to easily set, manage and monitor password security from one single interface."

“By simplifying the password management process and giving control back to the security, risk and audit teams, companies can be sure that they are not only compliant with PCI DSS v3.0, but also that they are doing everything they can to pro-actively protect their customers’ payment card data,” he added.

Ross Brewer, vice president and managing director for international markets at security dashboard vendor LogRhythm, said that weak passwords are simply this most obvious example of poor security practices that leave businesses exposed to greater risks from potentially costly and embarrassing security breaches.

Not just cardholders' info at risk

"There’s no doubt that cyber attacks are continuing to grow in sophistication and pose a very real, very serious threat to all businesses, not just those processing cardholder information. As a result, it’s become crucial that issues such as weak passwords, lack of authentication processes and inconsistent assessments are addressed – and regulated – to reflect this. That said, a lack of awareness and inadequate training on standards such as PCI is simply no longer acceptable."

Brewer backed the attempt to develop PCI-DSS compliance away from once-a-year inspections towards a continuous process, integrated with the day-to-day activities of an e-commerce business.

“A big concern is that organisations tend to view compliance as a one-off obligation, taking a check-box approach which leaves security a mere afterthought once certification has been achieved. This is simply unforgivable in this day and age, and indicates a clear lack of common sense – particularly when security breaches are reported so frequently and customer confidence continues to nosedive."

Bernard Zelmans, general manager of EMEA at FireMon, said: “There have been few subjects that have stirred more controversy in information security than PCI DSS. Some say it has done more to raise the level of security preparedness of millions of merchants than anything before, whereas others claim it is responsible for dumbing-down security to a checkbox standard.

"If the new risk-based approach will result in organisations adopting better security standards, then PCI DSS 3.0 will have succeeded where its predecessors have come up short.

"If nothing else, the PCI council and its members responsible for drafting the new version of the standards have listened to those in the industry who wanted to see PCI DSS evolve. This should result in greater support for PCI DSS within the information security industry.”


A look at the difference between compliance and security in the context of infosec, via the analogy of motorcycle safety, comes in an entertaining video from infosec blogger Javvad Malik (below)

*The PC Security Standards Council is a forum charged with the development, management, education, and awareness of the PCI Data Security Standard (PCI DSS) and other standards that increase payment data security. Founded in 2006 by the major payment card brands (American Express, MasterCard Worldwide and Visa)., the council is made up of 650 participating organisations representing merchants, banks, processors and vendors worldwide.

Providing a secure and efficient Helpdesk

More from The Register

next story
The 'fun-nification' of computer education – good idea?
Compulsory code schools, luvvies love it, but what about Maths and Physics?
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Lords take revenge on REVENGE PORN publishers
Jilted Johns and Jennies with busy fingers face two years inside
Yes, yes, Steve Jobs. Look what I'VE done for you lately – Tim Cook
New iPhone biz baron points to Apple's (his) greatest successes
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
'Missy' Cummings on UAVs, smartcars and dying from boredom
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
prev story


Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.