By Dale S. Laszig
Security leaders found collaborative energy and focus at the PCI Security Standards Council's 2019 annual community meetings in North America and Europe. In his European keynote, Lance Johnson, PCI SSC executive director, emphasized unity and said that in a rapidly changing environment, "stakeholders can be certain that industry participation, evolution, alignment and consistency will be constants in the council's efforts to provide standards and resources for securing payment data."
Troy Leach, PCI SSC chief technology officer, agreed payment security is a unifying force, even for competitive council founders American Express, Discover, JCB, Mastercard and Visa. In a September 2019 interview with The Green Sheet, Leach said information sharing and technical competencies will continue to play a role in helping organizations maintain compliance, protect data and defeat fraud. "Point-to-point encryption, tokenization, machine learning and other advanced technologies can help payments industry stakeholders address increasingly complex data environments," he stated.
Gary Glover, vice president of assessments at SecurityMetrics, said he and others on security's front lines were warmly received at recent North American and European community meetings. The PCI SSC is engaging earlier and more frequently with stakeholders, which is helping to make them feel more trusted as a community, Glover added. For example, Payment Application Qualified Security Assessors were shown a draft of the Strategic Software Framework and asked to comment. And two comment and draft review sessions are planned before the council publishes the PCI DSS 4.0 in late 2020 or early 2021.
This article shares further perspectives on these developments and other PCI SSC initiatives devised to increase interaction, member engagement and innovation.
The Strategic Framework is designed to guide activities and fulfill the council's mission to "enhance global payment account data security by developing standards and supporting services that drive education, awareness and effective implementation by stakeholders." The mission is further defined by the strategic framework's four pillars, set forth by the PCI SSC: "Increase industry participation and knowledge; evolve security standards and validation; secure emerging payment channels; and increase standards alignment and simplicity."
For Glover, the "increase industry participation and knowledge" pillar reflects the PCI SSC's improved community outreach that fosters innovation and global communication. His impression is that the council is more open than ever to feedback and will now listen to QSA companies. "In previous years, participating organizations and QSAs have not had the opportunity to provide feedback before standards were changed," he said. "We'd see the published standard and try to interpret it and ask questions."
New security requirements for commercial off-the-shelf devices will enable merchants to accept contactless transactions without adding extra hardware. The council plans to publish the new Contactless Payments on COTS (CPoC) standard in December 2019 and launch the program in 2020.
John Markh, PCI SSC standards manager, said, "CPoC expands our support for contactless payments with a standard specifically for contactless acceptance on merchant COTS devices." The CPoC standard includes security and test requirements and guidance on implementation and oversight. Participating solution providers will be evaluated and listed in the CPoC Solutions section of the PCI SSC website.
The council opened its request for comments (RFC) for PCI DSS Version 4.0 using newly formalized RFC procedures created to foster stakeholder understanding and participation. The Request for Comments (RFC) Process Guide details procedural changes. Also, a new section of the PCI SSC website highlights the RFC process and lists upcoming RFCs, including recent updates on current and upcoming RFCs.
Another goal of the formal RFC procedure is to exchange feedback with stakeholders, according to Lauren Holloway, PCI SSC director of data security standards. She was quoted by Mark Meissner, the council's vice president public relations, in a February 2019 blog post written to offer guidance on the process. "A consistent documented process lets our stakeholders know what to expect and that advance knowledge should encourage greater participation in our RFCs and provide us with more feedback," Holloway said. "The intent is to turn that feedback into action."
Due out in December 2019, the next evolution of the PCI Point-to-Point Encryption (P2PE) Standard and Program will simplify requirements and add flexibility to P2PE implementation.
Ruston Miles, chief strategy officer, executive vice president and founder at Bluefin, expects these updates to help participating service providers balance security with a frictionless user experience.
Miles cited two major takeaways from recent community meetings: first, P2PE is a top-of-mind topic and being widely adopted at a growing pace; and second, standards and organizational structures are being reworked to prioritize stakeholders and their user experience.
"The P2PE Solution 3.0 standard is coming out very soon," Miles said. "In fact, participating organizations will be working through the commenting and feedback phase later this year. It will not change the technical requirements so much as it will ease implementation logistics and assessments. There are now 86 certified P2PE solutions listed on the PCI SSC website in late 2019. That is a long way from four listed P2PE solutions in early 2014."
PCI DSS v4.0 will support a range of evolving payment environments, technologies and security methods, Leach noted. Stakeholders are reviewing the draft and exchanging ideas, which will continue through the RFC period. Stakeholder feedback and a changing payments industry will be key considerations in developing PCI DSS v4.0, he stated. So far, the council's vision for v4.0 appears to be resonating with members, who have indicated they expect its flexibility will enable organizations to maintain compliance and react quickly to emerging threats.
Miles sees PCI DSS 4.0 as a significant upgrade to the standard, particularly in terms of usability and user experience. From his perspective, the refresh improves clarity and makes the standard more easily understood and accessible to users. "This is a necessary step in the maturation process of this and any standard, which will further promote adoption of the standard," he said.
Marc Punzirudu, vice president of security consulting services at ControlScan, was impressed by the alternative validation of controls in PCI 4.0, which applies to entities with established security programs. Alternative validation is a test against the intent of a control and its objectives, instead of a review of the standard control as written, he noted.
Replacing compensating controls with customized responses to requirements, which the PCI SSC called a "natural evolution," is expected to be valuable to mature organizations. Customized validation enables them to demonstrate how they meet PCI DSS requirements in unique ways, Punzirudu stated. "I largely see the need for compensating controls to disappear altogether as they are, in essence, an objective-based control test," he said.
Glover agreed that defined, customized approaches would be more effective than compensating controls, which are typically used when situations don't exactly comply with the standard and can sometimes feel like a "temporary fix." A customized approach eliminates the "get out of jail free" card feeling and provides a more permanent option, Glover noted. This approach would be a good fit for mature organizations with a real grasp on security and operations, he added. Assessed entities would have to demonstrate how a proposed approach would meet a required objective.
Michael Magrath, director, global relations and standards at OneSpan, said today's merchants tend to be knowledgeable about multifactor authentication but fall short on identity verification. From an internal standpoint, they may be lacking in administrative capacity or use a third-party service provider.
When the council mapped the PCI DSS to the National Institute of Standards and Technology (NIST) cybersecurity framework, aligning a range of controls and publications, the section on identity proofing lined up perfectly on both sides, Magrath recalled. "I was in early meetings when NIST was drafting it," he said, adding that static passwords were replaced with non-static multifactor authentication.
Ciske van Oosten, senior manager, global intelligence at Verizon Enterprise Solutions, and lead author of Verizon's 2019 Payment Security Report, recalled participating in early meetings when the PCI SSC was formed in 2006, and later collaborations with NIST. "I was part of the journey in the early days, and it has been interesting to see the strategic alliances that have formed over the years," he said. "As the program matures, you need resources to measure metrics. You need hard facts to drive to a higher level of capabilities."
He went on to say that PCI DSS 4.0 will be the most significant iteration of the standard to date. It will change how assessments are done. PCI compliance will no longer be a wash, rinse, repeat process. QSAs will no longer be tied to compensating controls; they can freely design and implement their own tailored, customized controls, he stated.
As the PCI DSS celebrates its 15th birthday, breaches continue to occur, underscoring the need for effective, sustainable control environments, van Oosten noted. However, he pointed out that many enterprises continue to take a "check box" approach to compliance; as compliance programs evolve and mature, they must also move from a reactive to proactive state.
"Without a sound strategy to measure data protection effectiveness and sustainability, throwing money at data protection does little to prove an organization is getting better at maintaining compliance," he wrote in the Verizon report. "This approach may lead to a false sense of security. Many organizations appear stuck in a reactive cyclic pattern, focusing only on meeting baseline compliance requirements."
We must continue to provide guidance to the payments industry and help stakeholders develop and measure the effectiveness and maturity of data protection, van Oosten stated, adding that sustainable processes must meet regulatory requirements and maintain controls over extended periods. We must continue to help organizations effectively manage their control environments and achieve a level of assurance and predictability for each core data protection and compliance process, he noted.
Chris Bucolo, senior vice president, market strategy at ControlScan said, "The council is really asking for lots of input this time around, with the idea of addressing evolving risks and threats. They are talking about it being a process that stresses risk-based outcomes, with an emphasis on ongoing security and not a point-in-time checklist."
As he reflected on recent data breach activity, Bucolo said the PCI SSC will continue to focus on third-party service providers and password security. As an enthusiastic member of the council's Small Merchant Taskforce, he looks forward to working with small and midsize merchants as they review and comment on the PCI 4.0 Self-Assessment Questionnaire (SAQ). "In doing so, we have the opportunity to consolidate and streamline concepts where possible," he said.
"Data protection is not an IT problem," van Oosten said. "Data protection is not a knowledge problem. Data protection, at heart, is a proficiency problem. And the problem of accessing, simplifying and controlling data is compounded by lack of information security proficiencies, whether they are in-house or outsourced. But I do believe we are moving in the right direction."
Miles affirmed that security is the goal and stakeholder involvement is the key to getting there. "When security standards are more widely used, the entire ecosystem is better for it," he said. "We can see these changes in DSS 4.0 as a sign of things to come as the Council reworks all standards and organizational structures to keep security and stakeholders at the center of their world."
Dale S. Laszig, senior staff writer at The Green Sheet and managing director at DSL Direct LLC, is a payments industry journalist and content development specialist. She can be reached at dale@dsldirectllc.com and on Twitter at @DSLdirect.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
Prev Next