Highlights of proposed changes in PCI DSS 3.0 suggest more significant movement to push organizations into more mature risk management activities
Last week's sneak peek by the PCI Security Standards Council into the highlights of the upcoming PCI DSS 3.0 revision set industry tongues wagging once again about the direction of the ever-evolving state of the payment card compliance standards. While the highlights may not reflect all of the changes on tap -- and there are always plenty of diverse opinions about PCI -- many experts agreed that this time around, the council is baking in more provisions to move the exercise of PCI compliance beyond point-in-time, check-box activities into continuous compliance and, eventually, more mature risk management practices.
Jacob Ansari, a QSA for 403 Labs, says this has always been the end game of the council and its general manager, Bob Russo, who has long advocated for PCI to act as the low-water mark at retail organizations and other card-processing companies that fall under the standard's purview.
"If you read the press releases from the people at the PCI SSC very carefully, you'll see that they always call PCI DSS a baseline for protecting cardholder data," Ansari says, explaining that's the whole point of Requirement 12.1.2, "which gives the organization latitude to implement controls above those required for PCI DSS compliance."
[Are you ready for another risk management acronym? See Will IT GRC Become IRM?.]
However, now the council is taking further steps to bring the letter of the law, the standard itself, closer in line with the principles it has preached and which some more stringent assessors have already been enforcing.
"Some of the changes that look like an increase in rigor on a specific requirement are already happening with forward-thinking and rigorous assessors," Ansari says.
The formalization of requirements that push organizations toward implementing risk management practices and security processes that persist beyond auditor visits are important for the credibility of the standard and the health of security practices at organizations subject to PCI scrutiny, says Philip Lieberman, CEO of Lieberman Software.
"The existing point-in-time PCI standard is a sham that produces little real security. It was a boon to auditors and charlatans that provided PCI certifications for boatloads of money, yet delivered little to nothing of any real value to their clients," Lieberman says. "The PCI 3.0 replacement should produce real results and has been long overdue."
This starts with what Branden Williams, a former member of the PCI Council board of advisers and currently executive vice president at Sysnet Global Solutions, believes could be the most important addition in PCI 3.0.
"The most impactful change will probably be the mandatory inventory of PCI-impacted systems," Williams says. "Formalizing this will force companies to put process around keeping this up to date, which will highlight key systems that need special attention."
For his part, Ansari says the weight of impact on compliant organizations will depend on which industry they operate.
"Merchants with hardware devices might need to make a lot of changes or put far-reaching, new procedures in place to deal with the physical security controls for payment terminals," he says. "Organizations that have a lot of complex network rules to segment their in-scope networks from their out-of-scope networks might find some surprises when the penetration testing intended to validate their segmentation effort shows otherwise."
Given that many proposed changes to the standard tackle more fundamental root changes to risk management processes rather than nitty-gritty changes to individual practices, there are bound to be growing pains transitioning into PCI 3.0. For example, says Williams, the penetration testing clarifications could trip up many a check-the-box-focused organization.
"Companies have been getting by for a while doing the absolute minimum, so putting more structure around this might have the impact of an entirely different-looking penetration testing process," he says.
Similarly, some organizations are going to have a hard time with additional application security requirements.
"Organizations with significant software development efforts may find keeping pace with threats to application software, particularly Web applications, and that struggle to integrate good security practice into their development efforts may find proposed changes for more formal security practice as part of their software development life cycle challenging," Ansari warns.
Both Williams and Ansari believe that while organizations should definitely pay attention to early speculation about the evolution of the standard, they should remember that speculation is exactly that until the specific language changes are released.
"Until we see the actual requirement words and validation procedures, it's hard to fully understand the impact that 3.0 will have for merchants and service providers," Williams says.
That said, he does hope the council works to better tie the base standard to its technology guides for things like mobile or cloud. He doesn't think that necessarily means directly addressing it in the standard, but that it would be a good start to point assessors to the council's own documents to clarify confusion. He also wonders whether this latest round of changes will be enough to get the council truly caught up with changes in the threat landscape.
"They are struggling to issue guidance around emerging trends in a timely and relevant fashion. For example, their cloud guidance issued this year suggested that the best course of action is to not use the technology," he says. "That doesn't help people trying to comply with the standard while leveraging emerging technologies and trends to stay competitive."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. View Full Bio