A new version of the PCI-DSS payment card industry standard was published yesterday, and is due to come into effect at the start of January.
The new rules place a greater emphasis on promoting improved security rather than complying with pre-set rules.
PCI DSS 3.0 is designed to "help organisations take a proactive approach to protect cardholder data that focuses on security, not compliance", according to the PCI Security Standards Council*.
The key aim of PCI DSS 3.0 is to change merchants’ "mentality", so that good compliance disciplines are adopted operationally as part of their normal business practices rather than treated as a hurdle to get over every year – like taking a car for an annual MOT (government traffic inspection) test.
Many infosec pros have historically criticised PCI as simply offering a minimal security baseline, containing such advice as "use an antivirus" and "protect cardholder data", rather than adopting a more risk- or business-focused approach.
A common finding to emerge from analysis of data breaches among merchants is that although they are often compliant at the time of their annual PCI DSS assessment, they are no longer compliant at the time of the data breach.
According to SureCloud, a UK-based provider of cloud-based IT governance services, many e-commerce merchants choose a “cram for the exam” approach that focuses only on being ready for the day of the assessment.
"Often, PCI DSS compliance is treated a bit like the annual MOT on your car," explained Richard Hibbert, chief exec of SureCloud. "You only fix the issues needed to pass the test instead of taking good care of your car all year round."
PCI DSS specifies the "security rules" under which merchants and banks are supposed to process credit card transactions. Merchants are obliged to adopt the standard if they don't want to face higher card processing fees in general and tougher fines in the case of problems. Continual non-compliance by merchants can result in payment processors pulling the plug on e-commerce outfits, leaving businesses without the ability to take e-commerce payments. The standard was placed on a three-year refresh cycle back in 2011.
Small merchants can self-assess
Compliance for small merchants can be achieved through self-assessment but larger outfits are obliged to hire independent Qualified Security Assessor to run independent audits, a potentially costly exercise.
Transforming PCI DSS from an assessment-centric activity to a security programme would represent a major sea change. In addition, the latest version of the guidelines aim to a greeter emphasis on the importance of staff security training
Tightening up poor password security practices is among the key objectives of the revised standard. The PCI DSS update clarifies the importance of changing default passwords for application/service accounts, as well as user accounts, to address gaps in basic password security practices that are leading to compromises.
Matt Middleton-Leal, regional director for UK & Ireland at security tools firm CyberArk, commented: “It’s extremely encouraging that the latest revision of PCI DSS is moving away from focusing solely on compliance, and moving towards best-practice security.
"As we continue to see privileged account credentials and passwords as primary targets in almost all major breaches, it’s great that this latest version of the standard is taking steps towards addressing this crucial part of the problem."
Biz bods will have to change password policy... Are you also praying your local grocer doesn't use 123456?
“The proposed changes state that revised password policies should include guidance on ‘choosing strong passwords, protecting their credentials, changing passwords on suspicion of compromise’. While this is certainly a step in the right direction, I would argue that we need to go further in order to adequately protect these extremely powerful credentials.
"Rather than waiting for suspicious activity before taking action, organisations should arm themselves with the best possible defence by establishing a centrally managed privileged account security policy. This will allow organisations to determine how regularly passwords need to be changed and can allow users to easily set, manage and monitor password security from one single interface."
“By simplifying the password management process and giving control back to the security, risk and audit teams, companies can be sure that they are not only compliant with PCI DSS v3.0, but also that they are doing everything they can to pro-actively protect their customers’ payment card data,” he added.
Ross Brewer, vice president and managing director for international markets at security dashboard vendor LogRhythm, said that weak passwords are simply this most obvious example of poor security practices that leave businesses exposed to greater risks from potentially costly and embarrassing security breaches.
Not just cardholders' info at risk
"There’s no doubt that cyber attacks are continuing to grow in sophistication and pose a very real, very serious threat to all businesses, not just those processing cardholder information. As a result, it’s become crucial that issues such as weak passwords, lack of authentication processes and inconsistent assessments are addressed – and regulated – to reflect this. That said, a lack of awareness and inadequate training on standards such as PCI is simply no longer acceptable."
Brewer backed the attempt to develop PCI-DSS compliance away from once-a-year inspections towards a continuous process, integrated with the day-to-day activities of an e-commerce business.
“A big concern is that organisations tend to view compliance as a one-off obligation, taking a check-box approach which leaves security a mere afterthought once certification has been achieved. This is simply unforgivable in this day and age, and indicates a clear lack of common sense – particularly when security breaches are reported so frequently and customer confidence continues to nosedive."
Bernard Zelmans, general manager of EMEA at FireMon, said: “There have been few subjects that have stirred more controversy in information security than PCI DSS. Some say it has done more to raise the level of security preparedness of millions of merchants than anything before, whereas others claim it is responsible for dumbing-down security to a checkbox standard.
"If the new risk-based approach will result in organisations adopting better security standards, then PCI DSS 3.0 will have succeeded where its predecessors have come up short.
"If nothing else, the PCI council and its members responsible for drafting the new version of the standards have listened to those in the industry who wanted to see PCI DSS evolve. This should result in greater support for PCI DSS within the information security industry.”
A look at the difference between compliance and security in the context of infosec, via the analogy of motorcycle safety, comes in an entertaining video from infosec blogger Javvad Malik (below)
*The PC Security Standards Council is a forum charged with the development, management, education, and awareness of the PCI Data Security Standard (PCI DSS) and other standards that increase payment data security. Founded in 2006 by the major payment card brands (American Express, MasterCard Worldwide and Visa)., the council is made up of 650 participating organisations representing merchants, banks, processors and vendors worldwide.