Page 10 - GS131102
P. 10
News
PCI DSS version 3.0 and processes are still PCI compliant, Russo said.
revealed Additionally, the new standard seeks to raise awareness
of shared responsibilities among businesses and their
vendors. Russo said many merchants are under the false
impression that outsourcing data security to third-parties
hree years ago, the PCI Security Standards Council frees them from security responsibilities. "That, of course,
(PCI SSC) published version 2.0 of the global is not the case," he said.
standard for how payment appliances and net-
T works should be secured. Now version 3.0 of the Educating the new blood
Payment Card Industry Data Security Standard (PCI DSS) The security landscape seems to be becoming more perilous
has arrived. Its emphasis is on integrating data security – not just from the schemes of enterprising hackers, but also
into everyday business practices, as well as providing from security-ignorant app developers as well. PCI SSC
more flexibility for businesses to comply with the standard Chief Technology Officer Troy Leach pointed to the audit of
while reinforcing their responsibilities – even when secu- a web-based payment application breach. "A development
rity is outsourced to third parties. team was brought in after their payment application had
been compromised," he said. "And they were asked, 'Well,
PCI DSS 3.0 is the result of input from the council's global why didn't you follow PCI PA-DSS?' And everyone around
constituency of payment technology and service providers the table said, 'What is that?'"
and numerous working groups that promulgate best
practices for aspects of data security. Drafts of version In another case, Leach was talking to a businessman on the
3.0 were circulated to PCI participating organizations in phone when he asked a technical question. Leach noted
August 2013 and were discussed at recent community that in response, the man said, "Well, hold on just a minute.
meetings held in Las Vegas and Nice, France, before the Let me put my developer on the phone." Then he handed
updated standard was released on Nov. 7, 2013. the phone to his 15-year-old son, who had developed the
application.
The update takes effect in January 2014; businesses have
one year from that time to implement it. After that first These instances highlight a challenge faced by the PCI SSC
year of PCI DSS 3.0's three-year lifecycle, the council will and the security community. "We have a new generation
begin evaluating the effectiveness of the new standard and of developers that have to be introduced to why it's so
potential changes to it, based on community feedback and important to maintain the integrity and trust that we've
market conditions. had for decades in the payments industry," Leach said.
Among the changes made to the 12 overarching Mobile payments blind spot?
requirements of the PCI DSS is a new evaluation process
for malware threats and new guidelines involving In discussing PCI DSS 3.0, Greg Rosenberg, Sales Engineer
passwords. Along with the PCI DSS, its companion at Trustwave and a Qualified Security Assessor, said the
standard for payment-related software, the Payment council missed an opportunity to address mobile payment
Application (PA-) DSS, was also updated. Changes to security in more depth. A common question he hears from
the PA-DSS include integrity verification of source code acquirers, ISOs and other merchant service providers is
during the development process of, for example, mobile how to get merchants using mobile payment solutions PCI
payment apps. compliant. "And the answer today is it's really difficult
under the current version of the PCI DSS," Rosenberg said.
Bake it into the business
Leach said the PCI DSS is meant to be technology and
Bob Russo, General Manager of the PCI SSC, said the main payment channel agnostic, thereby allowing the standard
focus of the new overall standard is to compel businesses to function with any payment channel or scheme. But
to make security a business-as-usual practice. "We hear a Rosenberg said that mobile payment solutions employ
lot of that compliance talk: 'I'll check the box and I'm done "fundamentally different architecture than other point
until next year.' And that's where we're seeing a lot of of sale systems that have been used in the past." Mobile
breaches happen. So one of the goals is to try and make architecture includes global positioning systems, cameras
this business-as-usual, 24/7, 365 days a year. And make and different operating systems than those of standard POS
sure people are living and breathing [security]." devices, Rosenberg said. "As a result, the threat presented
to these [devices] is unique," he noted.
The new standard does this by making compliance more
user friendly and giving businesses greater flexibility in Rosenberg believes that mobile security requirements
how to implement it, according to Russo. PCI DSS 3.0 also can be included in the standard as a carve-out that the
puts an emphasis on enterprise-wide security education. council employs for specific technology concerns. "A good
For example, when businesses merge, the new business example is wireless," he said. "Not every merchant uses
environment must be evaluated to ensure that equipment wireless. And so we have standards that talk about the
10
PCI DSS version 3.0 and processes are still PCI compliant, Russo said.
revealed Additionally, the new standard seeks to raise awareness
of shared responsibilities among businesses and their
vendors. Russo said many merchants are under the false
impression that outsourcing data security to third-parties
hree years ago, the PCI Security Standards Council frees them from security responsibilities. "That, of course,
(PCI SSC) published version 2.0 of the global is not the case," he said.
standard for how payment appliances and net-
T works should be secured. Now version 3.0 of the Educating the new blood
Payment Card Industry Data Security Standard (PCI DSS) The security landscape seems to be becoming more perilous
has arrived. Its emphasis is on integrating data security – not just from the schemes of enterprising hackers, but also
into everyday business practices, as well as providing from security-ignorant app developers as well. PCI SSC
more flexibility for businesses to comply with the standard Chief Technology Officer Troy Leach pointed to the audit of
while reinforcing their responsibilities – even when secu- a web-based payment application breach. "A development
rity is outsourced to third parties. team was brought in after their payment application had
been compromised," he said. "And they were asked, 'Well,
PCI DSS 3.0 is the result of input from the council's global why didn't you follow PCI PA-DSS?' And everyone around
constituency of payment technology and service providers the table said, 'What is that?'"
and numerous working groups that promulgate best
practices for aspects of data security. Drafts of version In another case, Leach was talking to a businessman on the
3.0 were circulated to PCI participating organizations in phone when he asked a technical question. Leach noted
August 2013 and were discussed at recent community that in response, the man said, "Well, hold on just a minute.
meetings held in Las Vegas and Nice, France, before the Let me put my developer on the phone." Then he handed
updated standard was released on Nov. 7, 2013. the phone to his 15-year-old son, who had developed the
application.
The update takes effect in January 2014; businesses have
one year from that time to implement it. After that first These instances highlight a challenge faced by the PCI SSC
year of PCI DSS 3.0's three-year lifecycle, the council will and the security community. "We have a new generation
begin evaluating the effectiveness of the new standard and of developers that have to be introduced to why it's so
potential changes to it, based on community feedback and important to maintain the integrity and trust that we've
market conditions. had for decades in the payments industry," Leach said.
Among the changes made to the 12 overarching Mobile payments blind spot?
requirements of the PCI DSS is a new evaluation process
for malware threats and new guidelines involving In discussing PCI DSS 3.0, Greg Rosenberg, Sales Engineer
passwords. Along with the PCI DSS, its companion at Trustwave and a Qualified Security Assessor, said the
standard for payment-related software, the Payment council missed an opportunity to address mobile payment
Application (PA-) DSS, was also updated. Changes to security in more depth. A common question he hears from
the PA-DSS include integrity verification of source code acquirers, ISOs and other merchant service providers is
during the development process of, for example, mobile how to get merchants using mobile payment solutions PCI
payment apps. compliant. "And the answer today is it's really difficult
under the current version of the PCI DSS," Rosenberg said.
Bake it into the business
Leach said the PCI DSS is meant to be technology and
Bob Russo, General Manager of the PCI SSC, said the main payment channel agnostic, thereby allowing the standard
focus of the new overall standard is to compel businesses to function with any payment channel or scheme. But
to make security a business-as-usual practice. "We hear a Rosenberg said that mobile payment solutions employ
lot of that compliance talk: 'I'll check the box and I'm done "fundamentally different architecture than other point
until next year.' And that's where we're seeing a lot of of sale systems that have been used in the past." Mobile
breaches happen. So one of the goals is to try and make architecture includes global positioning systems, cameras
this business-as-usual, 24/7, 365 days a year. And make and different operating systems than those of standard POS
sure people are living and breathing [security]." devices, Rosenberg said. "As a result, the threat presented
to these [devices] is unique," he noted.
The new standard does this by making compliance more
user friendly and giving businesses greater flexibility in Rosenberg believes that mobile security requirements
how to implement it, according to Russo. PCI DSS 3.0 also can be included in the standard as a carve-out that the
puts an emphasis on enterprise-wide security education. council employs for specific technology concerns. "A good
For example, when businesses merge, the new business example is wireless," he said. "Not every merchant uses
environment must be evaluated to ensure that equipment wireless. And so we have standards that talk about the
10
