Pci 3.0: What the Standard Lacks Is What Businesses Should Secure

By Michael Aminzade, Director of Delivery for EMEA & APAC at Trustwave

On November 7, 2013, the new Payment Card Industry Data Security Standard (PCI DSS 3.0) – a requirement for businesses that process, store or transmit payment card information designed to help them protect that information from a data breach – was published by the PCI Security Standards Council (PCI SSC). When drafting PCI DSS 3.0, The PCI SSC used feedback from industry experts about previous standards including which parts worked and what areas needed improvement. While many parts of the new standard should help businesses better protect their customers’ information, PCI DSS 3.0 still fails to address a few critical areas.

The mobility and risk assessment problem

Michael Aminzade Trustwave

The most pressing issue is the lack of any standards surrounding mobile and mobile payments. The Council may not yet be ready to issue a data security standard for mobile devices since new mobile devices and applications are being developed at a very high rate which may make any current standard obsolete. As revealed in the 2013 Trustwave Global Security Report, our security experts saw a 400% increase in mobile malware in 2012, which goes to show the challenge businesses are facing in developing effective security strategies surrounding mobile devices.

Trustwave Managing Consultant, Mike Park, recently unveiled research that exposed vulnerabilities he found within iOS based custom mobile POS solutions that some retailers use every day. He ethically hacked several mobile POS solutions to discover the vulnerabilities and was able to gain access to customers’ payment card information within 20 minutes.  The project demonstrated how criminal hackers can exploit the same vulnerabilities in iOS based custom mobile POS solutions and steal payment card information for malicious purposes.  Currently, PCI DSS 3.0 does not mandate businesses to implement any security controls surrounding mobile POS payments. The PCI SSC has published suggested guidance pertaining to mobile security however it is voluntary, not mandated.  Ideally, the Council should develop a security standard for mobile devices that organisations are required to follow to help protect the valuable payment card information that flows through these devices every day.

Assessing the Risk
Like its predecessor, under PCI 3.0, any organisation that handles payment card data is required to conduct an annual risk assessment, which should help identify risks in a business’ environment. Risk assessments help businesses improve their security posture by identifying weaknesses within their network and applications that could lead to the organisation falling victim to a data breach. However, in today’s environment, a single risk assessment each year is no longer enough. As more technologies (such as BYOD, mobile applications and social media) are added to the business environment, new threats are consistently emerging, which is why risk assessments should be performed at least every six months.

Security should be business as usual
The PCI SSC used a “business-as-usual” approach when creating PCI 3.0, incorporating requirements for businesses to follow as part of their day-to-day operations. The standard encourages organisations to take a proactive approach to protecting cardholder data, one that focuses on security in addition to compliance. In previous versions of the standard, the Council used more of a check-the-box approach to compliance where businesses would fulfil the minimum requirements in order to be compliant.

The new business-as-usual standard aims to change this by providing businesses guidance about how to incorporate security activities as part of their regular business activities. The goal of this approach is for businesses to understand security first, and then as a result of implementing the security controls that they need in their specific environment, they will inherently be in compliance. One area that could have helped organisations in the implementation of a business-as- usual strategy would have been guidance that highlights the expanded use of security tools beyond vulnerability scanning. Merchants should be using security tools that demonstrate their systems are configured to meet the compliance requirements. There are many options on the market such as tools that identify improper use of guest and administrator accounts, find weak and default passwords, and perform a network inventory as well as validate current anti-virus software. The new standard would have been a good opportunity to mandate that small merchants use these kinds of tools so that they can better demonstrate they are in compliance.

Ultimately, the aim of PCI DSS 3.0 is to help businesses ensure that they put effective controls in place to protect payment card data. The new standard is scheduled to take effect on a voluntary basis beginning 1st January 2014, and will be mandated in January 2015. However, any forward-thinking organisation should already be considering and implementing new tools, techniques, and processes that will help them move towards achieving the new compliance standard. Not only will this mean businesses will be fully prepared for when the new compliance regulations come into force, but in the process they will develop new security practices to help protect their customer card data and improve their security posture.

By Michael Aminzade, Director of Delivery for EMEA & APAC at Trustwave

On November 7, 2013, the new Payment Card Industry Data Security Standard (PCI DSS 3.0) – a requirement for businesses that process, store or transmit payment card information designed to help them protect that information from a data breach – was published by the PCI Security Standards Council (PCI SSC). When drafting PCI DSS 3.0, The PCI SSC used feedback from industry experts about previous standards including which parts worked and what areas needed improvement. While many parts of the new standard should help businesses better protect their customers’ information, PCI DSS 3.0 still fails to address a few critical areas.

The mobility and risk assessment problem

Michael Aminzade Trustwave

The most pressing issue is the lack of any standards surrounding mobile and mobile payments. The Council may not yet be ready to issue a data security standard for mobile devices since new mobile devices and applications are being developed at a very high rate which may make any current standard obsolete. As revealed in the 2013 Trustwave Global Security Report, our security experts saw a 400% increase in mobile malware in 2012, which goes to show the challenge businesses are facing in developing effective security strategies surrounding mobile devices.

Trustwave Managing Consultant, Mike Park, recently unveiled research that exposed vulnerabilities he found within iOS based custom mobile POS solutions that some retailers use every day. He ethically hacked several mobile POS solutions to discover the vulnerabilities and was able to gain access to customers’ payment card information within 20 minutes.  The project demonstrated how criminal hackers can exploit the same vulnerabilities in iOS based custom mobile POS solutions and steal payment card information for malicious purposes.  Currently, PCI DSS 3.0 does not mandate businesses to implement any security controls surrounding mobile POS payments. The PCI SSC has published suggested guidance pertaining to mobile security however it is voluntary, not mandated.  Ideally, the Council should develop a security standard for mobile devices that organisations are required to follow to help protect the valuable payment card information that flows through these devices every day.

Assessing the Risk
Like its predecessor, under PCI 3.0, any organisation that handles payment card data is required to conduct an annual risk assessment, which should help identify risks in a business’ environment. Risk assessments help businesses improve their security posture by identifying weaknesses within their network and applications that could lead to the organisation falling victim to a data breach. However, in today’s environment, a single risk assessment each year is no longer enough. As more technologies (such as BYOD, mobile applications and social media) are added to the business environment, new threats are consistently emerging, which is why risk assessments should be performed at least every six months.

Security should be business as usual
The PCI SSC used a “business-as-usual” approach when creating PCI 3.0, incorporating requirements for businesses to follow as part of their day-to-day operations. The standard encourages organisations to take a proactive approach to protecting cardholder data, one that focuses on security in addition to compliance. In previous versions of the standard, the Council used more of a check-the-box approach to compliance where businesses would fulfil the minimum requirements in order to be compliant.

The new business-as-usual standard aims to change this by providing businesses guidance about how to incorporate security activities as part of their regular business activities. The goal of this approach is for businesses to understand security first, and then as a result of implementing the security controls that they need in their specific environment, they will inherently be in compliance. One area that could have helped organisations in the implementation of a business-as- usual strategy would have been guidance that highlights the expanded use of security tools beyond vulnerability scanning. Merchants should be using security tools that demonstrate their systems are configured to meet the compliance requirements. There are many options on the market such as tools that identify improper use of guest and administrator accounts, find weak and default passwords, and perform a network inventory as well as validate current anti-virus software. The new standard would have been a good opportunity to mandate that small merchants use these kinds of tools so that they can better demonstrate they are in compliance.

Ultimately, the aim of PCI DSS 3.0 is to help businesses ensure that they put effective controls in place to protect payment card data. The new standard is scheduled to take effect on a voluntary basis beginning 1st January 2014, and will be mandated in January 2015. However, any forward-thinking organisation should already be considering and implementing new tools, techniques, and processes that will help them move towards achieving the new compliance standard. Not only will this mean businesses will be fully prepared for when the new compliance regulations come into force, but in the process they will develop new security practices to help protect their customer card data and improve their security posture.