Friday, August 23, 2013
The PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) 3.0 Change Highlights, published in August 2013, previews the updated PCI DSS and the related Payment Application-DSS to be released in November 2013. The council said that the proposed updates address weaknesses in current data security processes, including lack of education and awareness; weak passwords and authentication challenges; third-party security challenges; slow self-detection in response to malware and other threats; and inconsistencies in assessments.
"Lack of education and awareness around payment security, coupled with poor implementation and maintenance of the PCI Standards, gives rise to many of the security breaches happening today," the PCI SSC said.
Additionally, the council believes that the updates will increase the flexibility of the PCI DSS as they will address how to mitigate data compromises that result from weak passwords and authentication methods, malware and poor self-detection processes. "This will enable organizations to take a more customized approach to addressing and mitigating common risks and problem areas," the council noted.
According to Greg Rosenberg, Sales Engineer at Trustwave and a Qualified Security Assessor, the standard has evolved to the point where no major revisions to it are necessary. "What they've gotten really good at is maturing the standards to the point where a lot of the changes tend to be clarification, application of existing standards and additional guidance," he said.
Given that the standards have not been officially updated, however, Rosenberg believes the proposal fails to address two major shortcomings in the standards: risk assessment procedures and mobile payment security. Rosenberg believes the PCI SSC missed an opportunity to "really beef up" the risk assessment controls by not making the assessment process more continuous for merchants rather than something that is undertaken once a year.
It speaks to a lack of flexibility in the standard, Rosenberg said. He stated that assessments could be based on a risk scoring model that would slot individual merchants into different categories where, depending on the risk associated with each merchant, businesses would have to validate security every 30, 60 or 90 days.
Another weakness of the risk assessment guidance is the length of the document that contains it. Rosenberg, who participated in the risk assessment special interest group, called the 30-page document too long, especially for small merchants. "No one's going to spend their time going through it," he said.
Rosenberg admitted that it isn't "an easy thing to fix," but that the council could issue a risk assessment summary or boiled-down guidance that admits the requirements are "not necessarily going to cover all of your risks."
While mobile transaction volume remains comparatively low to traditional payments, the amount of mobile malware increased by 400 percent in 2012, Trustwave reported in May 2013. Rosenberg said that statistic is why the industry, including the PCI SSC, needs to be proactive about mobile device security. But the lack of information about mobile payment security in the proposed update is an admission by the council that it doesn't know how to proceed forward in this new and growing payments sector, according to Rosenberg.
"Technically, if you look at the standard right now, it's virtually impossible to get a mobile merchant to be PCI compliant," he said. "I won't say it's impossible. But it's very difficult. And part of the challenge is a technical one. Doing a vulnerability scan on a mobile merchant is really hard."
The reason for the difficulty is that mobile merchants utilize cell phone and Wi-Fi networks, not traditional card processing networks, according to Rosenberg. "It's fundamentally a different architecture than any other system that merchants have used before," he said.
Rosenberg added that the PCI SSC's official reason for the lack of mobile security requirements is that the mobile payment landscape is so new and volatile that any guidance the council issues may become quickly outdated. He said the council should issue mobile security requirements that concern "people, process and technology."
Merchants' mobile devices should be locked down as businesses secure traditional networks, Rosenberg said, which means restricting apps installed on devices, monitoring devices for malicious software downloads and educating employees on best practices, such as avoiding using the devices on social media sites like Facebook, where devices can be easily infected with malware.
In lieu of guidance from the PCI SSC regarding mobile payment security, Rosenberg recommended ISOs and merchant level salespeople inform merchants that the easiest way to strengthen mobile security is to properly implement firewalls. "We run into a lot of organizations, even enterprises, who spend tens of hundreds of thousands of dollars on firewall security technology, but it just sits there, sometimes in the default state, with the default user names and passwords, no rules set up," he said. "It is essentially a revolving door."
By segmenting and securing sensitive data via firewalls, merchants can more successfully safeguard that data and minimize risk, according to Rosenberg. Especially for small merchants, and ISOs representing them, partnering with security firms like Trustwave is recommended. "I always tell people, it doesn't have to be Trustwave," Rosenberg said. "You can't just buy a box and expect that it will do something. There has to be intelligence about how it's administered." 
Editor's Note:
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
