The Payment Card Industry (PCI) Security Standards Council (SSC), an open, global forum for the development of payment-card security standards, recently gave us a preview of its new PCI Data Security Standard (DSS) guidelines that will be published by the Council in November 2013. Referred to as PCI DSS 3.0, the revised guidelines are designed to help companies make PCI DSS part of their business-as-usual activities by introducing more flexibility and an increased focus on education, awareness and security as a shared responsibility.
PCI standards apply to every organization that touches credit card information — for example, banks that handle and process cards — and there are very few that don’t — are in scope of the PCI SSC. Even the humble bank branch may be treated as a merchant environment under PCI DSS, and so PCI DSS can have implications beyond the back office or transaction-processing systems in the data center. Previously, bank systems have been considered too complex for all the controls of PCI DSS to apply, but this is definitely not the case today — banks, along with other financial institutions, need to pay close attention. PCI DSS 3.0 starts to shift toward a more continuous approach to risk mitigation and compliance. Similarly, continuous risk-mitigation technologies for sophisticated organizations have evolved dramatically since PCI DSS’s first incarnation and can be easily applied to even the most complex data processes with dramatic cost-saving results.
So what do the new rules mean for banks?
A good place to start is to revisit how PCI DSS came about in the first place. PCI DSS 1.0 came out more than seven years ago as a new standard for addressing the emerging risks around payment data, merchants taking card payments, and the industries involved — including issuing banks and payment processors on the back end. But it really goes back even further than that. Visa, American Express, JCB, Discover and MasterCard earlier implemented Cardholder Information Security Programs (CISPs), for example, but compliance to those regulations varied. PCI DSS brought these loosely enforced mandates together and created a new level of harmony in the industry. To date, PCI DSS has made its biggest impact by requiring that organizations eliminate cardholder data where it’s not needed and limit exposure of cardholder data by protecting sensitive information. But as evidenced by serious and frequent breaches resulting in the exposure of millions of consumers’ credit card and other information, most of us agree that it hasn’t been enough.
So we now have PCI DSS 3.0, driven by the need for more continuous compliance postures in light of those breaches and the increasing sophistication of attacks. Not surprisingly, when assessors and investigators have reviewed many of the incidents, they find the merchants were not compliant at the time of the breach. PCI DSS 3.0 looks to tighten the areas where the most risk has been observed during the past few years, which is good news for data protection but also increases the PCI compliance burden for merchants with new, tighter assessment rules on the horizon.
However, it doesn’t matter if it’s PCI DSS 2.0 or 3.0 — the fact remains that while PCI DSS is an excellent standard to address a broad range of risks, any compliance assessment, no matter how frequent, measures risk only at a single point in time and provides no guarantee of protection.
Threats to data are continuous, as is the risk of a compromise. Vulnerabilities in the payment ecosystem cannot be eliminated if cardholder-data protection is not truly end-to-end. Any place or point in a payment-data process where live data is available and exploitable represents a continuous business risk. And it’s in those exploitable gaps that we see constant reports of insider attacks, malware-driven data compromise, and sophisticated directed attacks yielding cardholder data.
What’s Still Needed