There is never a dull moment for compliance and security. Case in point, amidst a brewing storm of regulation, version 3.2 of the Payment Card Industry Data Security Standards (PCI DSS) announced in late spring articulates good data security intent along with controversy.
PCI has been around since 2006, and aims to protect payment data for consumers and card issuers. A worthy cause, no question. Critics say PCI helps card issuers and banks limit their liability for loss at the expense of merchants. This may have some truth to it, but as a consumer, someone needs to protect my payment card data. (In addition, the livelihood of a merchant is highly dependent on creating positive customer experiences.)
It is encouraging to see the relatively rapid pace of PCI versions. PCI 3.1 was published in April 2015, and PCI 3.2 was published in April 2016. These fast updates reflect the need to be responsive and resilient in a dynamic threat environment. The date to comply is in 2018; this is a bit concerning because it gives attackers a nice 18+ months to do their business.
I understand the huge effort needed to meet compliance. This requires organizations to assess the risk and respond by prioritizing implementation over time. But many savvy organizations may already have some of these security controls in place.
The multi-factor authentication requirement is very much welcomed. Why? Because authentication is a backbone to security in that it helps to ensure the authentication only of trusted sources. This is an important cause in today’s world. The 2016 Verizon Data Breach Investigations Report revealed that 63% of breaches resulted from weak, default, or stolen passwords. Previous PCI versions only required remote access from untrusted networks to have multi-factor authentication. This is a step in the right direction.
The new requirement for service providers to perform penetration testing on segmentation controls at least every six months is also noteworthy. This effort is costly and time-consuming, but it offers more diligence to uncover an attacker’s efforts. This should not replace the vulnerability scans that help identify potential holes. Multiple layers of defense must be taken.
Finally, PCI 3.2 included additional requirements for more security controls for service providers. This seems reasonable; if service providers are going to bring IT to other organizations, they should adhere to the same security guidelines. Moreover, PCI 3.2 extended deadlines for the removal and migration of SSL & TLS earlier versions.
While this is a huge effort, the vulnerabilities in these protocols need to be considered, and at the minimum, organizations should identify high-risk and critical environments as a priority. The Tripwire PCI solution can help you achieve PCI 3.2 compliance.
PCI has always been under siege by many critics. Early this year, the Federal Trade Commission (FTC) ordered nine companies to provide the agency with information on how they conduct assessments of companies to measure their compliance with PCI DSS. The FTC could be investigating potentially excessive charges, inconsistency in enforcement, card brand influence and rampant conflicts of interest.
I will not digress into any of these motives but simply acknowledging compliance sets a complicated regulation market for the stakeholders and the regulators. At the end of the day, we must keep our eyes on the true intent for PCI DSS: foundational data security.
I would be remiss not to mention the recent National Federation of Retail’s (NFR) letter to the FTC, which encouraged FTC not to consider PCI DSS a viable standard or best practice. While NFR offered some interesting perspectives on how to view PCI, for example, PCI is not an official standards body. I view PCI as an industry contract between businesses (merchant to card issuer). If you want your customers to have the option to use their payment card, please comply with these guidelines to ensure cardholder data is secure.
PCI 3.2 is one of the many waves of regulation to ride with data security intent. The tidal wave or perhaps a tsunami that many organizations must prepare for is the General Data Protection Regulation (GDPR) from Europe. It was published earlier this year and will apply in 2018. Though it was derived from Europe, the GDPR has a global reach.
Any organization, no matter where they are located, that manages any information on a European citizen (even IP address) is required to comply with GDPR. So, any on-line merchant doing business with European customers must comply. GDPR’s scope is larger than PCI with a data privacy and security focus.
There will be more to come on how Tripwire responds to the GDPR and the PCI synergy.