Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:50 PM
Connect Directly

Is PCI Growing Up?

Highlights of proposed changes in PCI DSS 3.0 suggest more significant movement to push organizations into more mature risk management activities

Last week's sneak peek by the PCI Security Standards Council into the highlights of the upcoming PCI DSS 3.0 revision set industry tongues wagging once again about the direction of the ever-evolving state of the payment card compliance standards. While the highlights may not reflect all of the changes on tap -- and there are always plenty of diverse opinions about PCI -- many experts agreed that this time around, the council is baking in more provisions to move the exercise of PCI compliance beyond point-in-time, check-box activities into continuous compliance and, eventually, more mature risk management practices.

Jacob Ansari, a QSA for 403 Labs, says this has always been the end game of the council and its general manager, Bob Russo, who has long advocated for PCI to act as the low-water mark at retail organizations and other card-processing companies that fall under the standard's purview.

"If you read the press releases from the people at the PCI SSC very carefully, you'll see that they always call PCI DSS a baseline for protecting cardholder data," Ansari says, explaining that's the whole point of Requirement 12.1.2, "which gives the organization latitude to implement controls above those required for PCI DSS compliance."

[Are you ready for another risk management acronym? See Will IT GRC Become IRM?.]

However, now the council is taking further steps to bring the letter of the law, the standard itself, closer in line with the principles it has preached and which some more stringent assessors have already been enforcing.

"Some of the changes that look like an increase in rigor on a specific requirement are already happening with forward-thinking and rigorous assessors," Ansari says.

The formalization of requirements that push organizations toward implementing risk management practices and security processes that persist beyond auditor visits are important for the credibility of the standard and the health of security practices at organizations subject to PCI scrutiny, says Philip Lieberman, CEO of Lieberman Software.

"The existing point-in-time PCI standard is a sham that produces little real security. It was a boon to auditors and charlatans that provided PCI certifications for boatloads of money, yet delivered little to nothing of any real value to their clients," Lieberman says. "The PCI 3.0 replacement should produce real results and has been long overdue."

This starts with what Branden Williams, a former member of the PCI Council board of advisers and currently executive vice president at Sysnet Global Solutions, believes could be the most important addition in PCI 3.0.

"The most impactful change will probably be the mandatory inventory of PCI-impacted systems," Williams says. "Formalizing this will force companies to put process around keeping this up to date, which will highlight key systems that need special attention."

For his part, Ansari says the weight of impact on compliant organizations will depend on which industry they operate.

"Merchants with hardware devices might need to make a lot of changes or put far-reaching, new procedures in place to deal with the physical security controls for payment terminals," he says. "Organizations that have a lot of complex network rules to segment their in-scope networks from their out-of-scope networks might find some surprises when the penetration testing intended to validate their segmentation effort shows otherwise."

Given that many proposed changes to the standard tackle more fundamental root changes to risk management processes rather than nitty-gritty changes to individual practices, there are bound to be growing pains transitioning into PCI 3.0. For example, says Williams, the penetration testing clarifications could trip up many a check-the-box-focused organization.

"Companies have been getting by for a while doing the absolute minimum, so putting more structure around this might have the impact of an entirely different-looking penetration testing process," he says.

Similarly, some organizations are going to have a hard time with additional application security requirements.

"Organizations with significant software development efforts may find keeping pace with threats to application software, particularly Web applications, and that struggle to integrate good security practice into their development efforts may find proposed changes for more formal security practice as part of their software development life cycle challenging," Ansari warns.

Both Williams and Ansari believe that while organizations should definitely pay attention to early speculation about the evolution of the standard, they should remember that speculation is exactly that until the specific language changes are released.

"Until we see the actual requirement words and validation procedures, it's hard to fully understand the impact that 3.0 will have for merchants and service providers," Williams says.

That said, he does hope the council works to better tie the base standard to its technology guides for things like mobile or cloud. He doesn't think that necessarily means directly addressing it in the standard, but that it would be a good start to point assessors to the council's own documents to clarify confusion. He also wonders whether this latest round of changes will be enough to get the council truly caught up with changes in the threat landscape.

"They are struggling to issue guidance around emerging trends in a timely and relevant fashion. For example, their cloud guidance issued this year suggested that the best course of action is to not use the technology," he says. "That doesn't help people trying to comply with the standard while leveraging emerging technologies and trends to stay competitive."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Drew Conry-Murray
Drew Conry-Murray,
User Rank: Ninja
8/22/2013 | 9:41:14 PM
re: Is PCI Growing Up?
This is definately something to keep an eye on because PCI needs some serious work to move beyond its "check the box" mindset. Also, PCI and the card brands should stop trying to promote the notion that no PCI-compliant organization gets hacked. The PCI requirements are not a magic impenatrable shield.
User Rank: Apprentice
8/21/2013 | 9:48:27 PM
re: Is PCI Growing Up?
Great move if the PCI standard can actually help organizations evolve from a point-in-time compliance exercise to ongoing risk management practices. For smaller organizations that may be a tall order.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-19
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...