Page 36 - GS181201
P. 36
CoverStory
protecting control environments from failing, van "Innovation is important, but the one thing that should not
Oosten stated. be thrown out with each iteration is security," Miles stated.
"We see that oftentimes security technology is not keeping
6. Control lifecycle management: Control lifecycle pace with new payment schemes."
management entails monitoring and actively man-
aging security controls through each stage of their Having attended PCI SSC community meetings in Las
lifecycle, from inception to retirement, to promote Vegas and London, Miles found marked differences
healthy, sustainable control environments. between North America's diversified payments landscape
and European countries, which have one or two dominant
7. Performance management: Performance manage- banks and providers. Controlling your environment may
ment is an ongoing process of establishing, com- lower risk but can also restrict access to new innovative
municating and accurately measuring performance vendors, Miles noted. "The United Kingdom and Ireland
standards. Effective performance management im- are breaking that mold by introducing new service
proves results, promotes predictable outcomes and providers," he said. "These newcomers are not trying to
facilitates early identification and correction of per- take over; they're just trying to provide more payment
formance deviations. delivery options."
8. Maturity measurement: A control environment Sustainable future
must improve continuously and never be stagnant,
van Oosten stated. Using a roadmap and established "The Payment Card Industry Data Security Standard (PCI
targets for processes and capabilities can help orga- DSS) was established by the leading card brands to help
nizations optimize processes, track process devel- businesses that take card payments reduce fraud," wrote
opment and ensure that their processes can support the authors of Verizon's 2018 Payment Security Report.
continuous improvement. "While it's focused on protecting card data, it's built on
solid security principles that apply to all types of data. It
9. Self-assessment: Achieving all of the above objec- covers vital topics such as retention policies, encryption,
tives requires organizations to assess their 4C's: physical security, authentication and access control."
resource capacity (people, processes and technol-
ogy), capability (supporting processes), competency As the PCI SSC continues to build its global community,
(skills, knowledge and experience) and commitment members see opportunities for collaboration beyond its
(consistent adherence to compliance requirements). traditional footprint. Timothy Thomas, vice president of
Continuous innovation product strategy at ControlScan Inc., a managed security
service provider, has seen other organizations push for the
PCI SSC members see a need for continuous innovation to same kind of outreach to address security. "The council
meet emerging threats, technology trends and changing is finding similarities with other standard bodies, such
consumer behavior. "Despite heavy work schedules, as HIPAA and ISO," he said. "For example, there are 20
committee members are committed to sharing knowledge requirements in the ISO compliance standard that exactly
and exploring how we can engage as a community," Leach match the PCI framework."
said. "We recognize the importance of developing next-
generation standards and programs." As he reflected on emerging markets in the expanding
payments sphere, Thomas said, "We're educating vendors
In the past year the council received more than 1,500 who used to worry about their drivers taking cash and
highly articulate suggestions on mPOS security, never had to think about [payment] security."
including software-based approaches for protecting
PIN entry on commercial off-the-shelf devices, Leach He noted, for example, that automated vending and parking
recalled. Discussions led to the January 2018 release of the garages are relatively new to payments. Service providers
Software-Based PIN Entry Standard, which isolates PIN that previously sold traditional vending machines are
from other data. He said the solution builds on a foundation placing self-attended kiosks in factories and offices.
of hardware-based PIN entry solutions and will be part of Demand is growing because people aren't carrying cash
the upcoming revised PCI Software Security Framework. and operators appreciate being able to remotely manage
online payments and inventory and know when to stock
Innovation in security is ideally measured by its degree a machine. No more counting coins and cash, he added.
of effectiveness, van Oosten noted. For example, how
does it simplify the control environment, reduce costs "Criminals, like water, always find a way in," Thomas said.
and management effort or improve visibility and control "As merchants implement P2PE and tokenization, risks
of security operations? In large organizations, it can take flow to weaker points and find their way in through third
several years for these changes to filter their way through parties. That's why people like us are invited to more and
to the rest of the enterprise. It depends, to a great extent, more venues."
on getting buy-in and support from corporate executives.
36
