Risk
8/20/2013
06:50 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Is PCI Growing Up?

Highlights of proposed changes in PCI DSS 3.0 suggest more significant movement to push organizations into more mature risk management activities

Last week's sneak peek by the PCI Security Standards Council into the highlights of the upcoming PCI DSS 3.0 revision set industry tongues wagging once again about the direction of the ever-evolving state of the payment card compliance standards. While the highlights may not reflect all of the changes on tap -- and there are always plenty of diverse opinions about PCI -- many experts agreed that this time around, the council is baking in more provisions to move the exercise of PCI compliance beyond point-in-time, check-box activities into continuous compliance and, eventually, more mature risk management practices.

Jacob Ansari, a QSA for 403 Labs, says this has always been the end game of the council and its general manager, Bob Russo, who has long advocated for PCI to act as the low-water mark at retail organizations and other card-processing companies that fall under the standard's purview.

"If you read the press releases from the people at the PCI SSC very carefully, you'll see that they always call PCI DSS a baseline for protecting cardholder data," Ansari says, explaining that's the whole point of Requirement 12.1.2, "which gives the organization latitude to implement controls above those required for PCI DSS compliance."

[Are you ready for another risk management acronym? See Will IT GRC Become IRM?.]

However, now the council is taking further steps to bring the letter of the law, the standard itself, closer in line with the principles it has preached and which some more stringent assessors have already been enforcing.

"Some of the changes that look like an increase in rigor on a specific requirement are already happening with forward-thinking and rigorous assessors," Ansari says.

The formalization of requirements that push organizations toward implementing risk management practices and security processes that persist beyond auditor visits are important for the credibility of the standard and the health of security practices at organizations subject to PCI scrutiny, says Philip Lieberman, CEO of Lieberman Software.

"The existing point-in-time PCI standard is a sham that produces little real security. It was a boon to auditors and charlatans that provided PCI certifications for boatloads of money, yet delivered little to nothing of any real value to their clients," Lieberman says. "The PCI 3.0 replacement should produce real results and has been long overdue."

This starts with what Branden Williams, a former member of the PCI Council board of advisers and currently executive vice president at Sysnet Global Solutions, believes could be the most important addition in PCI 3.0.

"The most impactful change will probably be the mandatory inventory of PCI-impacted systems," Williams says. "Formalizing this will force companies to put process around keeping this up to date, which will highlight key systems that need special attention."

For his part, Ansari says the weight of impact on compliant organizations will depend on which industry they operate.

"Merchants with hardware devices might need to make a lot of changes or put far-reaching, new procedures in place to deal with the physical security controls for payment terminals," he says. "Organizations that have a lot of complex network rules to segment their in-scope networks from their out-of-scope networks might find some surprises when the penetration testing intended to validate their segmentation effort shows otherwise."

Given that many proposed changes to the standard tackle more fundamental root changes to risk management processes rather than nitty-gritty changes to individual practices, there are bound to be growing pains transitioning into PCI 3.0. For example, says Williams, the penetration testing clarifications could trip up many a check-the-box-focused organization.

"Companies have been getting by for a while doing the absolute minimum, so putting more structure around this might have the impact of an entirely different-looking penetration testing process," he says.

Similarly, some organizations are going to have a hard time with additional application security requirements.

"Organizations with significant software development efforts may find keeping pace with threats to application software, particularly Web applications, and that struggle to integrate good security practice into their development efforts may find proposed changes for more formal security practice as part of their software development life cycle challenging," Ansari warns.

Both Williams and Ansari believe that while organizations should definitely pay attention to early speculation about the evolution of the standard, they should remember that speculation is exactly that until the specific language changes are released.

"Until we see the actual requirement words and validation procedures, it's hard to fully understand the impact that 3.0 will have for merchants and service providers," Williams says.

That said, he does hope the council works to better tie the base standard to its technology guides for things like mobile or cloud. He doesn't think that necessarily means directly addressing it in the standard, but that it would be a good start to point assessors to the council's own documents to clarify confusion. He also wonders whether this latest round of changes will be enough to get the council truly caught up with changes in the threat landscape.

"They are struggling to issue guidance around emerging trends in a timely and relevant fashion. For example, their cloud guidance issued this year suggested that the best course of action is to not use the technology," he says. "That doesn't help people trying to comply with the standard while leveraging emerging technologies and trends to stay competitive."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
8/22/2013 | 9:41:14 PM
re: Is PCI Growing Up?
This is definately something to keep an eye on because PCI needs some serious work to move beyond its "check the box" mindset. Also, PCI and the card brands should stop trying to promote the notion that no PCI-compliant organization gets hacked. The PCI requirements are not a magic impenatrable shield.
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
8/21/2013 | 9:48:27 PM
re: Is PCI Growing Up?
Great move if the PCI standard can actually help organizations evolve from a point-in-time compliance exercise to ongoing risk management practices. For smaller organizations that may be a tall order.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.