PCI DSS – taking stock and moving forwards

“This year is feedback year,” Jeremy King, the European PCISSC director told Infosecurity. “Our standards are updated every three years, so this year we’re reaching out to our community to discover what we need to improve.” The response has been generally favorable with most requests simply focusing on a desire for more information. But, he added, “some of the smaller merchants (who might not have an IT department, never mind a security department) do sometimes find it more of a challenge. That’s been one of our key takeaways: we have to try and simplify the standard so that smaller merchants can understand it.”

King also told Infosecurity that some of these companies do everything right, but still get it wrong – through no fault of their own. They employ a security company to install the right security, but can be let down by an installation they don’t really understand. The installer can omit to set all the switches, or leave a default and insecure password in place. To counter this, he explained, the council is establishing a training and accreditation scheme for security implementers that will provide the merchant with confidence in the security installation.

These council meetings are for planning the future as much as taking stock of the past. Each year PCISSC sets up three special interest groups (SIGs) to examine particular areas of evolving interest. The current SIGs have been looking at e-commerce, cloud computing and a risk-based approach to security. “Take cloud computing,” said King. “Within the next month we’ll be releasing a document providing guidance on how to go about that in a secure way – understanding what it means if you’re moving your data into the cloud, and how you can do it securely. This meeting has been a sounding board to make sure everyone is happy with what we’ve done.”

The SIGs are an annual process, he told Infosecurity, and the meeting provides the hustings for the next year’s subjects. “We’ve had pitches from seven different organizations who want to suggest and focus on various areas for the SIGs of 2013 - presentations have come from Barclays, BT, and others who have suggested different topics to explore. On Monday we’ll be launching an election period for the industry to choose which areas we should focus on in these SIGs next year.”

Will mobile payments be one of these? Probably not, he said. “We’re aware of the increasing use of mobile in payments,” he said, “and we’re aware of the security challenges around this – in fact we’ve had a task force running for a year with all of the key industry players, the service providers, OS providers, and so on to look at how we can secure mobile payments.” The simple answer, he suggested, is that we’re not ready yet. While the industry has had years to understand and lock down the security on laptops, it is not yet in that position with mobile devices – they’re quite simply too insecure.

“We know everyone wants to do it, we know we’re going to make it secure, but at the moment we’re still working towards it. That is essentially our position,” he said, adding that so far PCISSC’s guidance is for the use of mobile as an acceptance device, not a payment device. “If you plug something into the device and want to use it to accept payments, this is what we currently consider to be best practice. The data can be read, encrypted and sent through the mobile phone encrypted so that the mobile phone is what it is: a transmitter.”

What’s hot on Infosecurity Magazine?