PCI 3.0 Draft Guidelines ReleasedPayment Card Security Update to Focus on Controls, Not Threats
Version 3.0 of the Payment Card Industry Data Security Standard, slated for release later this year, will focus on the standardization of PCI compliance assessments, says Bob Russo, general manager of the PCI Security Standards Council.
In August, the council issued a set of guidelines highlighting updates the industry can expect to see when Version 3.0 is released, he explains during an interview with Information Security Media Group [transcript below].
"With version 3.0, we are really helping organizations shore up controls," Russo says.
A growing concern merchants and organizations have expressed is the inconsistency in PCI compliance assessments, he says.
To improve consistency, the PCI Council is suggesting numerous changes to the testing procedures outlined in the standard, and it's clarifying the level of validation expected for each requirement of the standard as well, Russo says.
The PCI Council also is building into the standard the need for more education. "[That way], those implementing the standards in their organization have more information regarding what the goal of the control is and how it needs to be implemented," Russo says.
Although Version 3.0 of the standard won't take effect until January 2014, Russo says organizations need to begin assessing their business strategies and controls now.
"We've seen a lack of education in a lot of the breaches we have today," he says. "It underscores the need for more education and awareness. And education and awareness is an ongoing process."
The main message version 3.0 aims to share: Organizations have to focus on security, not compliance, Russo says.
During this interview, Russo discusses:
- Recommendations surrounding point-of-sale software and device testing;
- How the council is working with merchants and assessors; and
- Authentication challenges that version 3.0 addresses.
Russo brings more than 25 years of high-tech business management, operations and security experience to his role as the general manager of the PCI Security Standards Council. Russo guides the organization through its crucial charter, which is focused on improving data security standards for merchants, banks and other key stakeholders involved in the global payment card transaction process. To fulfill this role, Russo works with representatives from American Express, Discover Financial, JCB, MasterCard Worldwide and Visa International to drive awareness and adoption of the PCI-DSS.
PCI Version 3.0
TRACY KITTEN: Can you walk us through some of the points highlighted in Version 3.0?
BOB RUSSO: We published a preview of what the expected changes are in Version 3.0 of the PCI Data Security Standard as well as the PCI Application Data Security Standard, or the PA-DSS. The changes will help companies make DSS part of their business-as-usual activities, by introducing a lot more flexibility and increased focus on education and awareness, and security as really being a shared responsibility.
Some of the key updates will include recommendations for best practices for maintaining ongoing PCI-DSS compliance; moving security policy and operational procedures from Requirement 12 into each requirement; incorporating the tips and guidance from our Navigating PCI-DSS Guidance document into the standard; more flexibility and education around password strength and complexity; new requirements for point-of-sale terminal security; more robust requirements for penetration testing; and validating segmentation. There will be some considerations for cardholder data in memory, enhanced testing procedures to clarify the level of validation expected for each requirement, and expanded software development life-cycle security requirements for the PA-DSS.
Overall, the updates will give organizations a strong but flexible security architecture, with the principles that can be applied to their unique technology, payment and business environments.
Updates Every 3 Years
KITTEN: This is the first update to the PCI Data Security Standard, as well as the Payment Application Data Security Standard, to be issued since 2010. What impact has the decision to update those standards every three years, rather than every two, had this time around?
RUSSO: That's a really good question. By way of background for your listeners, in 2010, based on the feedback that we got from the PCI community, we changed from a two-year process for updating the standards to a three-year process. The additional year provides a longer period to gather feedback and more time for organizations to actually implement the changes before new versions are released. In this case, the additional time also allowed us for more feedback to come through, and, as a result, we're introducing more changes with Version 3.0 than we did with Version 2.0.
Focus on Education
KITTEN: Why is education such a focus this time around?
RUSSO: Updates to the standards are geared toward helping organizations better understand the intent of the requirements and how to properly implement and maintain the controls across their business. Changes to the PCI-DSS and the PA-DSS will help drive education and build awareness internally with business partners and customers as well.
KITTEN: How do you think education is going to be successful?
RUSSO: We've seen a lack of education and awareness in a lot of the breaches that we're seeing today. Just look at any of the latest forensic reports that we see, and it underscores the need for more education and awareness. Of course, education and awareness is really an ongoing process. It becomes more and more important as we make changes to these standards and we move forward that we keep up with the educational portion of this. As I say, security is a shared responsibility and that means that everybody needs to be educated about what the standards are, and, more importantly, how to keep up with them and how to maintain them so they help you stay secure.
KITTEN: What about best practices?
RUSSO: This is something that we're really excited about. The majority of the questions that we receive in the council about the standards are actually addressed in the Navigating PCI-DSS Resource guide. But we found that there are a lot of people who really aren't aware that the guide is out there. We're now adding all of this great information right into the standard, so you can see in an explanation and the context of the requirements. They're simpler; they're easier to understand; the language is easier to understand; and we're providing tips on ways to go about meeting the requirements and more. This added feature will be part of each requirement now.
Another new section that's planned is the best practices section for making PCI-DSS part of your business-as-usual activities. The real challenge we're seeing now is around implementation and maintenance of the standard. We think this addition, along with the changes throughout the standard focused on practical considerations and recommendations for building in security controls into your business, will go a long way in helping organizations improve their PCI-DSS programs, and move away from that checkbox mentality that everybody generally has when you talk about compliance. A good way to look at PCI now is that you should use it as your compass and not your roadmap.
Current High-Profile Breaches
KITTEN: Was this focus on third-party security a response to recent retail and payments processing breaches?
RUSSO: What's happening in terms of the breach landscape is really driving the feedback that we received from the PCI participating organizations and the assessors. As you mentioned, the forensics reports and the incidents we're seeing over the past several months point to self-detection and vulnerabilities introduced by third parties as two of the key trouble spots for organizations. ... The attackers are able to install malware onto a system because other missing controls allow them to have access; for example, weak vendor-supplied default passwords, insufficient firewall rules, things like that.
Redefining PCI Standards
KITTEN: How is the standard being redefined to better address some of those risks?
RUSSO: With Version 3.0, we're really focusing on helping organizations shore up controls. For example, adding clarification that default passwords for security software, like file-integrity monitoring, must be changed when you do the installation, by focusing on daily log reviews, on security relevant logs and on critical systems, and also by enhancing controls in the PA-DSS for payment applications to enforce changing the default vendor passwords during the installation process. The focus is less on specific risks and threats and more on helping organizations build these controls into their business-as-usual activities, so that they have the proper measures and mechanisms in place to identify, react to and mitigate risks and problem areas. At the same time, more rigorous testing procedures for validating proper implementation of the requirements are going to help organizations drive and maintain controls across all of their businesses.
KITTEN: How does the update address assessment improvements?
RUSSO: In their feedback, merchants and other organizations emphasized authentication challenges and a desire for more consistency among assessments as key areas that we needed to address in the updates. We're making a few different changes, in terms of authentication, by incorporating more education about choosing and implementing effective passwords, and providing flexibility for alternative ways to meet the requirements for authentication.
To drive improved consistency in the assessments, we're making changes to the testing procedures, to make it very clear what level of validation is expected for each requirement. Previously, we said, "Verify your fire safety controls are in place," as an example. And now we're spelling it out, basically saying, "Observe the fire protection system and confirm that the alarm battery works, that the sprinkler system is active and filled with water, and that the fire doors will resist up to a specific temperature and close the property."
Additionally, throughout the standards, we built in more education around the intent of each of the requirements so that those implementing the standards in their organizations have more information regarding what the goal of the control is and how they need to implement it.
KITTEN: Can you walk us through some of the points that are highlighted in the PA-DSS, relative to expanded software development?
RUSSO: We're pretty excited about some of the enhancements planned for PA-DSS, which we think will help drive more secure software development. I mentioned earlier that one of the key themes in Version 3.0 is around security as a shared responsibility; so many of the changes that we're making focus on emphasizing security in various pieces of the process.
For example, we're still seeing compromises happen because organizations think that [if] they have a PA-DSS-validated application in place, they're secure, when, in reality, if the application is not set up correctly or installed in the right way, not only does it not support PCI-DSS compliance, but it's also not secure. We're making changes that clarify this and are adding requirements that will focus on training and education for those who are actually installing the application in our QIR program. Initially, a big part of the changes the PA-DSS focused on revolved around driving security into the development lifecycle process, such as enhanced requirements for system development processes, including periodic security reviews, verifying the integrity of the source code and threat modeling, all needing to be done before the final release of the software from the vendor.
PCI Community Meetings
KITTEN: What should organizations be thinking about between now and when the updates are issued?
RUSSO: The PCI participating organizations and the assessors have a chance to attend our community meetings, as you said, and discuss the standards and updates and ask questions. They'll actually get draft copies of the standards, plus a detailed summary of the changes between Version 2 and Version 3 a couple of weeks before the meetings take place. Between now and then, there are a few things we can recommend. First, review this document now and get a sense of the changes coming and the impact they will have on your organization. Talk with the folks inside your business: Who is responsible for security? Make sure they're aware of what the updates are. Second, be sure to attend the webinar we'll be running that will talk about these changes in more depth. You can visit our website for details and register for that webinar as well. Lastly, if you're part of the PCI community, make sure to review the drafted standards and summary of changes before coming to the community meetings, so that you're informed about what the updates are and can get your questions answered while you're at the meeting.