Risk
8/20/2013
06:50 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Is PCI Growing Up?

Highlights of proposed changes in PCI DSS 3.0 suggest more significant movement to push organizations into more mature risk management activities

Last week's sneak peek by the PCI Security Standards Council into the highlights of the upcoming PCI DSS 3.0 revision set industry tongues wagging once again about the direction of the ever-evolving state of the payment card compliance standards. While the highlights may not reflect all of the changes on tap -- and there are always plenty of diverse opinions about PCI -- many experts agreed that this time around, the council is baking in more provisions to move the exercise of PCI compliance beyond point-in-time, check-box activities into continuous compliance and, eventually, more mature risk management practices.

Jacob Ansari, a QSA for 403 Labs, says this has always been the end game of the council and its general manager, Bob Russo, who has long advocated for PCI to act as the low-water mark at retail organizations and other card-processing companies that fall under the standard's purview.

"If you read the press releases from the people at the PCI SSC very carefully, you'll see that they always call PCI DSS a baseline for protecting cardholder data," Ansari says, explaining that's the whole point of Requirement 12.1.2, "which gives the organization latitude to implement controls above those required for PCI DSS compliance."

[Are you ready for another risk management acronym? See Will IT GRC Become IRM?.]

However, now the council is taking further steps to bring the letter of the law, the standard itself, closer in line with the principles it has preached and which some more stringent assessors have already been enforcing.

"Some of the changes that look like an increase in rigor on a specific requirement are already happening with forward-thinking and rigorous assessors," Ansari says.

The formalization of requirements that push organizations toward implementing risk management practices and security processes that persist beyond auditor visits are important for the credibility of the standard and the health of security practices at organizations subject to PCI scrutiny, says Philip Lieberman, CEO of Lieberman Software.

"The existing point-in-time PCI standard is a sham that produces little real security. It was a boon to auditors and charlatans that provided PCI certifications for boatloads of money, yet delivered little to nothing of any real value to their clients," Lieberman says. "The PCI 3.0 replacement should produce real results and has been long overdue."

This starts with what Branden Williams, a former member of the PCI Council board of advisers and currently executive vice president at Sysnet Global Solutions, believes could be the most important addition in PCI 3.0.

"The most impactful change will probably be the mandatory inventory of PCI-impacted systems," Williams says. "Formalizing this will force companies to put process around keeping this up to date, which will highlight key systems that need special attention."

For his part, Ansari says the weight of impact on compliant organizations will depend on which industry they operate.

"Merchants with hardware devices might need to make a lot of changes or put far-reaching, new procedures in place to deal with the physical security controls for payment terminals," he says. "Organizations that have a lot of complex network rules to segment their in-scope networks from their out-of-scope networks might find some surprises when the penetration testing intended to validate their segmentation effort shows otherwise."

Given that many proposed changes to the standard tackle more fundamental root changes to risk management processes rather than nitty-gritty changes to individual practices, there are bound to be growing pains transitioning into PCI 3.0. For example, says Williams, the penetration testing clarifications could trip up many a check-the-box-focused organization.

"Companies have been getting by for a while doing the absolute minimum, so putting more structure around this might have the impact of an entirely different-looking penetration testing process," he says.

Similarly, some organizations are going to have a hard time with additional application security requirements.

"Organizations with significant software development efforts may find keeping pace with threats to application software, particularly Web applications, and that struggle to integrate good security practice into their development efforts may find proposed changes for more formal security practice as part of their software development life cycle challenging," Ansari warns.

Both Williams and Ansari believe that while organizations should definitely pay attention to early speculation about the evolution of the standard, they should remember that speculation is exactly that until the specific language changes are released.

"Until we see the actual requirement words and validation procedures, it's hard to fully understand the impact that 3.0 will have for merchants and service providers," Williams says.

That said, he does hope the council works to better tie the base standard to its technology guides for things like mobile or cloud. He doesn't think that necessarily means directly addressing it in the standard, but that it would be a good start to point assessors to the council's own documents to clarify confusion. He also wonders whether this latest round of changes will be enough to get the council truly caught up with changes in the threat landscape.

"They are struggling to issue guidance around emerging trends in a timely and relevant fashion. For example, their cloud guidance issued this year suggested that the best course of action is to not use the technology," he says. "That doesn't help people trying to comply with the standard while leveraging emerging technologies and trends to stay competitive."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
8/22/2013 | 9:41:14 PM
re: Is PCI Growing Up?
This is definately something to keep an eye on because PCI needs some serious work to move beyond its "check the box" mindset. Also, PCI and the card brands should stop trying to promote the notion that no PCI-compliant organization gets hacked. The PCI requirements are not a magic impenatrable shield.
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
8/21/2013 | 9:48:27 PM
re: Is PCI Growing Up?
Great move if the PCI standard can actually help organizations evolve from a point-in-time compliance exercise to ongoing risk management practices. For smaller organizations that may be a tall order.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-0334
Published: 2014-10-31
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

CVE-2014-2334
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2335
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2336
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 and FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2334 and CVE-2014-2335.

CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.