Original URL: http://www.theregister.co.uk/2010/11/01/pci_revisions/

E-commerce smackdown as PCI standards revised

Comply or die pay fines

By John Leyden

Posted in Security, 1st November 2010 11:35 GMT

Analysis Revisions of the Payment Card Industry's security standards, due to come into force in January, were published on Thursday following months of negotiations.

The PCI DSS 2.0 standard, which specifies the "security rules" under which merchants and banks are supposed to process credit card transactions, contain only minor revisions to what is now a well-established set of minimum standards best practice in managing e-commerce operations securely.

The revised guidelines call for a greater reliance on a risk-based approach for addressing vulnerabilities, rather than a blind adherence to the letter of the law. The latest version of the standard also brings together application and data security standard guidelines and attempts to simplify the process of compliance for small merchants. Despite the changes, security experts say the PCI standards remain confusing for small businesses.

That's a problem that can't be ignored. Small merchants are obliged to adopt the standards or accept higher card processing fees in general and tougher fines or, for continual non-compliance, the withdrawal of their ability to take e-commerce payments.

The opinions of merchants, banks, payment processors and suppliers were taken into account in developing the revised standards, which tie together the Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) standards. Other measures include increased support for a risk-based approach to vulnerability remediation and as well as an increased emphasis on an initial scoping of locations where cardholder data resides before applying PCI regulations.

The promotion of more effective log management is also on the agenda, along with more detailed standards for the secure coding of custom-built applications.

The PCI Security Standards Council characterises the changes as "relatively minor revisions" to a "mature standard".

A detailed summary of changes to the standard can be found here. The PCI Security Standards Council has also set up a micro-site designed to help small merchants to reach compliance, which can be found here.

The great thing about standards is that there are so many of them

However, Stuart Okin, UK managing director of security consulting firm Comsec, said that "confusion reigns" in the PCI marketplace. He says this is partly because interpretation of the PCI rules differ in the US and Europe but also because Visa and Mastercard are "out of alignment", a point supported by other industry observers.

Gary Palgon, VP of product management at tokenisation technology provider nuBridges, criticised the card brands for continuing to use their "own, independent standards for PCI compliance" instead of "conforming exclusively to PCI SSC-derived framework".

Palgon says: "Having a universal, singular standards set is paramount for easing compliancy requirements and reducing complexity for merchants and service providers alike."

Virtual reality

Other vendors welcomed the recognition for the increased use of virtualisation and cloud-based technologies in revised standards. Sumedh Thakar, director of engineering at vulnerability assessment firm Qualys, welcomed this attempt to align payment industry security standards with 21st century IT infrastructure realities.

Thakar explained: "The standards were not keeping pace with advances in technology, especially the use of virtualisation in a card holder data environment. The existing standards talk about the notion of having 'One primary function per sever'. In a virtualised environment, this becomes a problem because the environment can be pretty dynamic and you could have virtual servers with different primary functions, like web servers and database servers, on the same physical server."

Merchants sometimes hold back on introducing virtualisation in their PCI environments for fear of being deemed non-compliant, according to Qualys. The revised regulations remove that uncertainty but are likely to have a knock-on effect on other requirements - such as firewalls, pen testing and performing vulnerability scans - that need to be factored into testing regimes.

Rafe Pilling, PCI Consultant at SecureWorks, agreed that the approach to virtualisation in the e-commerce regulations remains somewhat unclear.

Pilling said: "Although there are no groundbreaking changes to PCI 2.0, there have been some clarifications made to the standards and some developments on how companies using virtualisation must comply with the PCI Data Security Standards (DSS).

"However, organisations looking for clear guidance on storing PCI and non-PCI systems in a virtualised environment might be disappointed, as the boundaries are not clearly defined."

Compliance conundrum

The previous version (1.2.1) of the PCI DSS guidelines was released in July 2009. The council has now settled on a three-year release cycle, which means that PCI DSS 3.0 can be expected in October 2013. Merchants have the choice of applying either version 1.2.1 or 2.0 throughout 2011 before the older standard is pensioned off at the end of next year and version 2.0 becomes the only game in town.

Log management and regulatory compliance specialist LogRhythm notes that many organisations have yet to meet the PCI SSC’s previous recommendations. A survey by Redshift Research back in March revealed that just 11 per cent of UK organisations were PCI DSS compliant, an observation LogRhythm holds true even after September’s PCI compliance deadline for level one merchants

"Some of the anticipated changes by the PCI SSC can’t come too soon," said Ross Brewer, VP and MD of international markets at LogRhythm.

"Reports show high rates of non-compliance, a fact often viewed as a reflection of the lack of clarity which has negatively affected the standard in the past. Guidance on virtualisation and the alignment between PCI DSS and the Payment Application Data Security Standard will also be welcome, while the evolving requirement for centralised logging of payment transactions is a definite plus."

Brewer added that complaints about the clarity of PCI DSS are nothing new and sit alongside a much larger compliance headache many firms face. ®