Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/20/2013
06:50 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Is PCI Growing Up?

Highlights of proposed changes in PCI DSS 3.0 suggest more significant movement to push organizations into more mature risk management activities

Last week's sneak peek by the PCI Security Standards Council into the highlights of the upcoming PCI DSS 3.0 revision set industry tongues wagging once again about the direction of the ever-evolving state of the payment card compliance standards. While the highlights may not reflect all of the changes on tap -- and there are always plenty of diverse opinions about PCI -- many experts agreed that this time around, the council is baking in more provisions to move the exercise of PCI compliance beyond point-in-time, check-box activities into continuous compliance and, eventually, more mature risk management practices.

Jacob Ansari, a QSA for 403 Labs, says this has always been the end game of the council and its general manager, Bob Russo, who has long advocated for PCI to act as the low-water mark at retail organizations and other card-processing companies that fall under the standard's purview.

"If you read the press releases from the people at the PCI SSC very carefully, you'll see that they always call PCI DSS a baseline for protecting cardholder data," Ansari says, explaining that's the whole point of Requirement 12.1.2, "which gives the organization latitude to implement controls above those required for PCI DSS compliance."

[Are you ready for another risk management acronym? See Will IT GRC Become IRM?.]

However, now the council is taking further steps to bring the letter of the law, the standard itself, closer in line with the principles it has preached and which some more stringent assessors have already been enforcing.

"Some of the changes that look like an increase in rigor on a specific requirement are already happening with forward-thinking and rigorous assessors," Ansari says.

The formalization of requirements that push organizations toward implementing risk management practices and security processes that persist beyond auditor visits are important for the credibility of the standard and the health of security practices at organizations subject to PCI scrutiny, says Philip Lieberman, CEO of Lieberman Software.

"The existing point-in-time PCI standard is a sham that produces little real security. It was a boon to auditors and charlatans that provided PCI certifications for boatloads of money, yet delivered little to nothing of any real value to their clients," Lieberman says. "The PCI 3.0 replacement should produce real results and has been long overdue."

This starts with what Branden Williams, a former member of the PCI Council board of advisers and currently executive vice president at Sysnet Global Solutions, believes could be the most important addition in PCI 3.0.

"The most impactful change will probably be the mandatory inventory of PCI-impacted systems," Williams says. "Formalizing this will force companies to put process around keeping this up to date, which will highlight key systems that need special attention."

For his part, Ansari says the weight of impact on compliant organizations will depend on which industry they operate.

"Merchants with hardware devices might need to make a lot of changes or put far-reaching, new procedures in place to deal with the physical security controls for payment terminals," he says. "Organizations that have a lot of complex network rules to segment their in-scope networks from their out-of-scope networks might find some surprises when the penetration testing intended to validate their segmentation effort shows otherwise."

Given that many proposed changes to the standard tackle more fundamental root changes to risk management processes rather than nitty-gritty changes to individual practices, there are bound to be growing pains transitioning into PCI 3.0. For example, says Williams, the penetration testing clarifications could trip up many a check-the-box-focused organization.

"Companies have been getting by for a while doing the absolute minimum, so putting more structure around this might have the impact of an entirely different-looking penetration testing process," he says.

Similarly, some organizations are going to have a hard time with additional application security requirements.

"Organizations with significant software development efforts may find keeping pace with threats to application software, particularly Web applications, and that struggle to integrate good security practice into their development efforts may find proposed changes for more formal security practice as part of their software development life cycle challenging," Ansari warns.

Both Williams and Ansari believe that while organizations should definitely pay attention to early speculation about the evolution of the standard, they should remember that speculation is exactly that until the specific language changes are released.

"Until we see the actual requirement words and validation procedures, it's hard to fully understand the impact that 3.0 will have for merchants and service providers," Williams says.

That said, he does hope the council works to better tie the base standard to its technology guides for things like mobile or cloud. He doesn't think that necessarily means directly addressing it in the standard, but that it would be a good start to point assessors to the council's own documents to clarify confusion. He also wonders whether this latest round of changes will be enough to get the council truly caught up with changes in the threat landscape.

"They are struggling to issue guidance around emerging trends in a timely and relevant fashion. For example, their cloud guidance issued this year suggested that the best course of action is to not use the technology," he says. "That doesn't help people trying to comply with the standard while leveraging emerging technologies and trends to stay competitive."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
8/21/2013 | 9:48:27 PM
re: Is PCI Growing Up?
Great move if the PCI standard can actually help organizations evolve from a point-in-time compliance exercise to ongoing risk management practices. For smaller organizations that may be a tall order.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
8/22/2013 | 9:41:14 PM
re: Is PCI Growing Up?
This is definately something to keep an eye on because PCI needs some serious work to move beyond its "check the box" mindset. Also, PCI and the card brands should stop trying to promote the notion that no PCI-compliant organization gets hacked. The PCI requirements are not a magic impenatrable shield.
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4095
PUBLISHED: 2019-12-10
IBM Cloud Pak System 2.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 158015.
CVE-2019-4244
PUBLISHED: 2019-12-10
IBM SmartCloud Analytics 1.3.1 through 1.3.5 could allow a remote attacker to gain unauthorized information and unrestricted control over Zookeeper installations due to missing authentication. IBM X-Force ID: 159518.
CVE-2019-4521
PUBLISHED: 2019-12-10
Platform System Manager in IBM Cloud Pak System 2.3 is potentially vulnerable to CVS Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 165179.
CVE-2019-4663
PUBLISHED: 2019-12-10
IBM WebSphere Application Server - Liberty is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 171245...
CVE-2019-19251
PUBLISHED: 2019-12-10
The Last.fm desktop app (Last.fm Scrobbler) through 2.1.39 on macOS makes HTTP requests that include an API key without the use of SSL/TLS. Although there is an Enable SSL option, it is disabled by default, and cleartext requests are made as soon as the app starts.