Typically, implementing PCI DSS has been an exercise of compliance, where companies check the boxes once a year to make sure they're adhering to the standard. Going forward, as set out in the highlights document, PCI SSC would like to make payments security a day-to-day consideration.
“We are looking to create a culture of security by developing a more process-oriented version of the standards and fostering more education and awareness for IT personnel,” said Troy Leach, PCI SSC CTO, in an interview. “We want to make the new version more of a compass than a roadmap. For instance, the document and policy requirements that were previously handled by audit personnel are now laced throughout the standard, so each member of the IT staff is aware of those best practices in an every day way.”
For instance, the PA-DSS now places more responsibility on the businesses using payment apps and has created more requirements for education and training for application developers, so more security is required throughout the development lifecycle of payment applications. “There’s a sense that all security and all software is being validated through extensive security mechanisms, but in reality developers are pushing apps faster than they’re validating the security integrity of them,” Leach said. “One of the things we’ve thought about in Version 3.0 is, how do we level-set? What is the appropriate amount of security testing for applications? How much testing are we doing for things outside of the normal process? How much are app developers and other people thinking like the attacker to determine the types of ways that the app can be exploited?”
As more businesses move to the cloud, the security challenges are escalating when it comes to apps and services. “We are seeing an ever-increasing dependency on third parties,” said Leach. “Companies are managing more services, and outsourcing roles that were previously managed internally. It’s critical that they make certain that every third party—and those third parties’ own third-party partners—maintain the highest level of security.”
Smaller merchants in particular typically don’t have a robust security department, and, looking to conserve resources, they will often outsource their processes and information to the aforementioned third parties and cloud services. They also tend to embrace mobile options more.
“Especially with the advent of mobile, you have hundreds of thousands, if not millions more merchants that were not accepting credit cards before, now accepting credit cards,” Bob Russo, PCI SSC general manager, told Infosecurity. And, he said that they’re often doing this via devices meant for consumers, like iPhones and iPads.
That phenomenon is also creating larger aggregates of cardholder data, which in turn become more of a target for organized crime. “You have millions of merchants coming online, which each may do a small number of transactions but as an aggregate in a cloud service adds up to a significant volume,” Leach added.
“Today, most organizations have a good understanding of PCI DSS and its importance in securing card data, but implementation and maintenance remains a struggle – especially in light of increasingly complex business and technology environments,” said Russo. “The challenge for us now is providing the right balance of flexibility, rigor and consistency within the standards to help organizations make payment security business-as-usual. And that’s the focus of the changes we’re making with version 3.0.”
For instance, Version 3.0 also revamps the standard’s approach to password complexity. PCI SSC has looked to introduce some flexibility with the passwords—while it retains the requirement for using alphanumeric seven-character passwords, it also presents alternatives, like longer passphrases that are easier to remember.
Changes to the standards are being made based on feedback from the Council’s global constituents per the PCI DSS and PA-DSS development lifecycle, and in response to market needs. Key drivers for version 3.0 updates include: lack of education and awareness; weak passwords and authentication challenges; third-party security challenges; slow self-detection in response to malware and other threats; and inconsistency in assessments.
Based on feedback from the industry, in 2010 the Council moved from a two-year to a three-year standards development lifecycle. The additional year provides a longer period to gather feedback and more time for organizations to implement changes before a new version is released. As such, Version 3.0 will introduce more changes than version 2.0, with several new sub-requirements. The overall goal is to provide organizations with a framework for assessing the risk involved with technologies and platforms and the flexibility to apply these principles to their unique payment and business environments, such as e-commerce, mobile acceptance or cloud computing.
The highlights document is a preview of the new version of the standards coming in November 2013, will help PCI Participating Organizations and the assessment community as they prepare to review and discuss draft versions of the standards at the 2013 Community Meetings in September and October. The Council will also host a webinar series in the coming weeks for the PCI community and the general public to outline the proposed changes. Final changes will be determined after the PCI Community Meetings and incorporated into the final versions of the PCI DSS and PA-DSS published on November 7. The standards become effective January 1, 2014, but to ensure adequate time for the transition, version 2.0 will remain active until December 31, 2014.