Planning for PCI DSS 3.0: What you need to know

The new Payment Card Industry Data Security Standard (PCI DSS 3.0) was released on 7 November 2013 and will have serious consequences for payment processors, financial institutions, retailers and technology vendors says Michael Aminzade, director of delivery for the EMEA and APAC regions at infosec services and solutions vendor, Trustwave. PCI DSS 3.0 is a …

November 29, 2013 | bobsguide

The new Payment Card Industry Data Security Standard (PCI DSS 3.0) was released on 7 November 2013 and will have serious consequences for payment processors, financial institutions, retailers and technology vendors says Michael Aminzade, director of delivery for the EMEA and APAC regions at infosec services and solutions vendor, Trustwave.

PCI DSS 3.0 is a requirement for businesses that process, store or transmit payment card information and is designed to help them protect that information from a data breach. It was published by the PCI Security Standards Council (PCI SSC) on 7 November and presages change for the card payments sector. When drafting the updated PCI DSS 3.0 stipulations, the Council used feedback from industry experts about previous iterations of the standard, including which parts worked and what areas needed improvement. While many parts of the new version 3.0 standard should help businesses better protect their customers’ information, PCI DSS 3.0 still fails to address a few critical areas and I intend to review them in this blog.

One crucial missing element that I feel is missing from the updated 3.0 standard is around mobile security, which in my opinion hasn’t been sufficiently addressed. As more and more businesses incorporate mobile devices, point-of-sale (MPoS), wallets and other mobile applications into their environment, the level of security and data breach risk increases regarding protecting customers’ payment card data.

Mobile Channel and MPoS Protections Need Strengthening
Third-party developers create applications for mobile devices and if information security is not a front burner issue during the development process, it could lead to a damaging data breach later down the line. We have seen an uptick in businesses using mobile point-of-sale (MPoS) devices from Square, iZettle, PayPal Here, Intuit and numerous others for payment card transactions, for instance, and the trend cannot be ignored. If the devices and applications contain unpatched vulnerabilities, a business that is using them is at risk and the PCI DSS 3.0 standard should have more to say about this issue.

Many organisations are moving to incorporate MPoS into their businesses without fully appreciating the risks they can pose. Mobile phones and tablets running PoS systems can be jailbroken, and these devices can be hacked leaving valuable customer card data in the hands of cyber-attackers. The issue is that many organisations are moving to adopt these devices to keep up with consumer demands, often rushing to provide new functionality at the expense of security. Without relevant compliance controls in place there is currently very little being done in terms of fully securing mobile devices. In our ‘2013 Trustwave Global Security Report’ we found a 400% increase in mobile malware last year in comparison to the previous year. If security is not taken more seriously during the development process this increase may continue.

To its credit, the PCI SSC council has issued a best practice guideline for mobile security but this is more than a year old and is presented as voluntary guidance, not a mandate. As it stands, therefore, any merchant can use and implement an MPoS device, even if it contains vulnerabilities, and can still be in compliance with the PCI standard.

Benefits of Updated PCI DSS 3.0 Standard
On the positive side, I think it’s important to recognise the improvements within the new PCI DSS 3.0 standards, as well as criticise what I feel is lacking in the mobile area. Perhaps the most important benefit of the new standard in my opinion is the ‘business-as-usual’ approach being adopted which prioritises organisations taking a proactive approach to protecting cardholder data, rather than one that is too tick-box orientated and focused on security as a mere add-on compliance exercise. In the previous versions of the standard, the PCI SCC council used more of a ‘tick-the-box’ approach to compliance where businesses would fulfil minimum requirements in order to be compliant, but it is much better to address security concerns earlier in the process.

The new business-as-usual standard aims to change this prior failing by providing firms with guidance about how to incorporate information security activities into their everyday regular business processes. The goal of this approach is for businesses to understand security first, and then as a result of implementing the security controls they need in their specific environment, they will inherently be compliant and more robustly secure.

Conclusions
Overall, there have been some much needed improvements to the updated PCI DSS 3.0 card payment standard. Some aspects of the new standard, particularly around MPoS, are still lacking but I must acknowledge that the PCI SSC’s ultimate goal is to help businesses understand and implement strategies to protect cardholder data and I think they’re been largely successful in this aim. As new mobile technologies and trends emerge such as staff bring-your-own-device (BYOD) tendencies, and with cardholder data still remaining the top target for cyber-criminals, it’s becoming increasingly important for businesses to understand how to protect not only cardholder information, but also customer data in general. The standard can help in this aim.

It must be recognised that being in compliance with the standard does not necessarily mean that businesses have implemented the most effective security strategy. Viewing PCI DSS 3.0 compliance as the floor, not the ceiling, to security and implementing technologies, security awareness training and strategies focused on security is, however, the best practice approach. Going beyond PCI stipulations means businesses will inevitably be compliant but also so much secure and future-proofed against developing cyber-threats.

PCI DSS 3.0 will go into voluntary effect as of 1 January 2014, and will be made mandatory for all businesses processing or storing payment card data beginning on 1 January 2015. If you haven’t read the new stipulations yet it is time to do so: visit their website here.

Categories:

Resources

Prometeia Credit Decision Management Platform - Egyptian Banks

Video | Banking Prometeia Credit Decision Management Platform - Egyptian Banks

Prometeia
Why Partner with NXTsoft?

Video | Banking Why Partner with NXTsoft?

NXTsoft
Evolving APIs | NXTsoft Connectors For 40+ Banking Core Systems

Best Practice | Banking Evolving APIs | NXTsoft Connectors For 40+ Banking Core Systems

NXTsoft
Banks have real opportunity in FX hedging for SMEs

Other | Banking Banks have real opportunity in FX hedging for SMEs

Hedgebook