This week in Las Vegas, the Payment Card Industry Security Standards Council (SCC) is holding the first of its...
annual PCI Community Meetings. The gatherings are forums to discuss the state of the Payment Card Industry Data Security Standard (PCI DSS) and its sister mandates, which seek to ensure payment card data security. This year, the stakes are high: It's the last chance that the SSC's more-than-700-member organizations will have to voice questions or concerns before PCI DSS 3.0 is finalized in November.
SearchSecurity spoke with SSC General Manager Bob Russo and Chief Technology Officer Troy Leach about the PCI annual meeting, attendees' reactions to the proposed PCI DSS updates and why the final version will include even more changes.
For those who haven't been to a PCI Community Meeting, what is it and why is it important?
Bob Russo: This is the first of three meetings where the PCI community gets together and discusses whatever happens within PCI. This year happens to be the release of updates to all of our standards. So we are not only discussing all of the feedback we've received, but also giving feedback to attendees in the PCI community. This is their opportunity to comment on those changes and make sure we haven't missed anything. We'll do this again next month in Europe and one more time for Asia-Pacific at the beginning of November, and then on Nov. 7 the standard will be officially released.
Describe the overall reaction this week from attendees regarding the changes proposed for PCI DSS 3.0.
Russo: The overall reaction has been really good. The key theme in the changes, based on the feedback we've seen, is people like that we're making the standards more flexible and making sure awareness and education are a big part of it.
Troy Leach: As of now, we've had several rounds of feedback with our 1,300 'friends and family' -- the stakeholders who are here -- and there's been a real sense that this has been a joint collaboration, especially around areas where we've made some significant changes, which are more significant than the changes we made in 2010 [with PCI DSS 2.0], largely because in the last three to five years, organized criminals are getting more sophisticated.
Speaking of sophisticated attacks, some in the information security industry have been critical of the PCI DSS because they claim it hasn't kept up with the defenses needed to ward off sophisticated attacks. Has that been a theme you've heard from attendees this week?
Russo: I've heard that, sure, but as we've discussed with attendees this week, we've been meeting here for seven-and-a-half years, and we've evolved, but to be honest, in many ways we're still dealing with the same threats that we were talking about seven-and-a-half years ago --SQL injection attacks, companies not putting patches in -- and breach statistics bear this out. It's the simple threats that are killing us.
We have to really key in on going back and taking care of the basics, and that's what this version does. It explains that you have to make not only PCI, but also security part of business as usual. Are attacks getting more complex? Without question. We're going to start seeing breaches that are much more complex, but if it's so easy to compromise merchants because they aren't doing the basics, why do attackers need to rack their brains to come up with new exploits? Let's address all the low-hanging fruit, and that's the theme of what we're doing.
We're still dealing with the same threats that we were talking about seven-and-a-half years ago. … It's the simple threats that are killing us.
general manager, PCI SSC
I've heard that there are likely to be significant changes between the PCI DSS 3.0 draft and what ends up in the final standard, more so than in past update cycles. Will that prove true?
Leach: It is, and we've been open and transparent about it. Some of these proposed changes are tentative. We are still in the process of listening to feedback, and we'll be looking at that over the month of October. It is unique; in previous release cycles, [the standard] was fully baked by the time we got to the community meeting. At this community meeting, we've said, 'Here are the proposed changes. We really need your opinions at this event, so share them with us so we understand the implications from all different types of stakeholders.'
What has been the most-discussed proposed change at this week's meeting?
Leach: I think it's been the changes regarding point-of-sale [POS] terminals. Things I've heard directly from stakeholders are things having to do with physical security requirements, POS terminal inspections and what that means for retail communities in areas like educating their staff.
One of the changes that's been really well received is that in each and every one of the 12 requirements, we've put in 'business as usual' practices. We've always had these, but they've been in their own document, called 'Navigating PCI DSS,' and now people have the direct intent of the spirit in which we wrote the standard. If you're someone who may not be responsible for PCI as your primary role, such as a firewall administrator, but you have certain responsibilities that overlap with PCI, that change is going to offer you an incredible amount of guidance.
"I like the updated PCI DSS due to additional details in testing (for QSAs) and implementation (for merchants) guidance, focus on operational processes and increased coverage of application security. On the other hand, one thing that I really wanted to see in the standard and didn't is mandating card data discovery scans to confirm the scope during the assessment and also between assessments.
Also, the 'PCI DSS into business as usual' theme is brilliant! However, getting merchants to switch from 'PCI happens once a year' to 'PCI is business as usual' will take a lot of work."
-- Dr. Anton Chuvakin, research director, Gartner Inc., who attended the meetings in Las Vegas this week.
To that point, one of the areas we see failures is, for example, where a merchant will have good intentions to meet the requirements, but then they merge with another company, the professionals in charge of PCI change roles and new IT administrators and senior managers come in. All the while they don't think anything has changed, but the necessary network monitoring activity is no longer being done, or more people than necessary have access to admin passwords that should have been revoked.
One technological change that will affect PCI is the increased adoption of Europay, MasterCard and Visa (EMV) Chip and PIN technology. What discussions have taken place this week about EMV and PCI?
Leach: It's such an important issue that we spent an entire session discussing it this week. As EMV migrates to the U.S. market, we're going to see a significant shift in fraud, away from face-to-face retail transactions. EMV is a phenomenal technology for authenticating who the cardholder is and authenticating the transaction, but what we're going to need to do over the next 3 to 5 years is educate merchants; there will still be a significant need for security. The role of EMV is to authenticate the transaction, not necessarily secure it. EMV chips still process cardholder data exposed 'in the clear.' So there's going to be a big need for collaboration and an increased understanding of how different standards work in EMV environments, specifically those that have to do with encryption and creating an inability for criminals to see unencrypted card data as it goes from the terminal through the merchant environment and out to the payment processor and the banks.
What is the timeline of events between now and the official release of PCI DSS 3.0 in November and beyond?
Leach: In the next 2 to 3 weeks, we'll take all the feedback we've received and talk through each and every piece of it, and we'll factor that information in as we finalize the standard. Then, after the November release, we'll shift our focus to the docs that support the standard -- the self-assessment questionnaires, attestations of compliance. We've received a lot of feedback this week about how those documents are pain points for the small merchant community. People say, 'How can we fill these out? They look like tax forms?' So there's quite a few changes coming to the documents that support the standards, and those are coming in Q1 of 2014.
Russo: Also note the community is going to have a full year to implement PCI DSS 3.0. There's some learning that has to take place, so they'll have until the end of 2014. And we'll offer many courses and webinars to help.