Friday, September 27, 2019
In addition to continually updating security standards, the PCI SSC is promoting interaction and innovation among payments industry stakeholders, noted Troy Leach, chief technology officer. Recent efforts discussed at the meeting include a Request for Comment (RFC) process, currently employed in the PCI Data Security Security Standard Version 4.0 Request for Comments initiative; the PCI Software Security Framework, which supports agile innovation within approved process guidelines; and the P2PE Standard and Program.
“At last year’s community meeting, these new engagement models were still being designed and we had just created the framework for new areas of engagement,” Leach said. “Seeing the fruits of their labor has energized the industry.” He expects the newly implemented RFC process to improve collaboration when developing next-generation security standards for “a quickly changing world of payments.”
Participating members and attendees praised PCI DSS 4.0 and the Council’s renewed focus on collaboration.
Ruston Miles, chief strategy officer, executive vice president and founder at Bluefin, said PCI DSS 4.0 will be easier to understand and implement and “a significant upgrade to the standard in terms of usability and user experience.” Miles was also pleased that P2PE is a top-of-mind topic and becoming widely adopted at a growing pace. Reworking existing standards and organizational structures will improve the user experience, he added.
Marc Punzirudu, vice president, security consulting services at ControlScan, said, “PCI 4.0 will give entities that have established security programs the ability to perform alternative validation of controls.” This significantly improves the standard by replacing compensating controls with objective-based control tests, he stated.
“I’m also personally energized about the Small Merchant Taskforce I’m a part of, because we will be reviewing and commenting on the PCI 4.0 SAQs as they start getting developed,” added Chris Bucolo, vice president of market strategy at ControlScan. “In doing so, we have the opportunity to consolidate and streamline concepts where possible.”
Jen Stone, senior security analyst at SecurityMetrics, presented on formjacking, a cybercrime that intercepts web pages and payment forms. Malicious JavaScript code collects payment card numbers and other personally identifiable information and sends data to another location of the attackers’ choosing, she explained.
“A great part of collaborating with the Council is being able to talk about these trends,” she said. “Half a dozen security analysts came up after the presentation and said, ‘that was a great piece.’”
For further details, please visit www.pcisecuritystandards.org.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.