I and many others have been saying for a long time that being compliant with a regulation or industry mandate does not make a computing environment secure. There are numerous reasons this is true, ranging from “the check list approach” to “not understanding the actual intent of specific compliance controls.” This is especially true when it comes to the Payment Card Industry – Data Security Standard, otherwise known as PCI-DSS.
As an example for many organizations:
- · It’s easy to think of PCI compliance as just another annual audit to go through, because after the annual audit, many believe they are safe for another year. Companies with this mindset fail to understand that compliance does not always translate to security.
- PCI-DSS lacks clarity and many participants do not understand the intent of many of the provisions. For example, PCI may require a merchant to deploy a Web Application Firewall (WAF), but the standard doesn’t specify WAF configuration requirements or even why the device is needed in the first place. This can be a major issue for merchants that are not very security and tech savvy and who often adopt security systems without changing default settings.
In an effort to address these issues, as well as the evolving industry and technology trends, the Payment Card Industry Council has been working to revise and clarify the standard(s). Recently the council released a preview of their Data Security Standard version 3, better known as PCI DSS 3.0. In their document, the PCI standards group outlines the high points of their proposed changes that will be finalized in November.
At a high level, PCI-DSS 3.0 is intended to shift the focus from compliance and the related audits to preventing breaches through appropriate security. Specifically, this release is designed to address and resolve the lack of awareness around payment security and educate organizations so they can better understand how to implement PCI-DSS guidelines correctly.
Beyond awareness and education, the council wants all parties that process credit card data to think about compliance more frequently. To put it another way, the PCI Council does not want organizations to just check off boxes in order to show compliance at a point in time. Rather, the council wants all PCI participants to actively protect themselves and their customers from risks and to maintain compliance as part of business-as-usual practices.
Key drivers for version 3.0 updates include: lack of education and awareness around payment security and poor implementation and maintenance of the PCI Standards leads to many of the security breaches happening today; weak passwords and authentication challenges that lead to cardholder data compromise; third party security challenges; slow self-detection in response to malware and other threats; and inconsistency in assessments.
The PCI DSS 3.0 changes are to be released in November and are intended to accomplish the following:
- Increase the overall understanding on the intent of the requirements and how to apply them. This will hopefully drive more consistency among assessors to eliminate inconsistent interpretations of both scope and requirement intent. Inconsistency in both interpretation and understanding of compliance objectives has been an issue since the initial roll out of “all” compliance regulations and standards.
- Provide participants the flexibility in managing evolving risks and threats and the continual changes in technology such as mobile and cloud adoption, and most importantly align PCI with industry best practices.
- Clarify scoping and reporting to eliminate the frustration of audit creep by assessors.
- Eliminate redundancy in sub-requirements and reduce the documentation burden merchants and other parties face through consolidation of requirements.
While the proposed changes are going to be a breath of fresh air for most of the organizations that process credit card data, there will always be those organizations that do not have either the budget or mindset to “proactively” look at security as a way to easily achieve compliance.
As with many compliance mandates, PCI has negative enforcement mechanisms, such as fines and losing the ability to process credit card data for non-compliance. To that end, I have to wonder if the PCI council has considered “random unscheduled” assessments, similar to restaurant health inspections, to see if participants are compliant during the course of the year.
While there would be issues such as scheduling, who would conduct the assessments and pay for them would have to be flushed out, I believe the benefits to the market and consumers would outweigh scheduling and cost issues. Such a program would allow the PCI Council to “proactively” provide greater assurance that market participants are embracing the intent of the mandates and provide more comfort to credit card holders that their data is being continually protected.
To view the proposed changes visit the PCI SSC website: https://www.pcisecuritystandards.org/security_standards/documents.php