In eight weeks the long-awaited Payment Card Industry data security standard 3.0 takes effect. But already security experts are warning that it alone won’t stop the rash of embarrassing data breaches we’ve seen in the last 12 months.
PCI guidelines are important for smaller organizations that directly or indirectly process credit and debit cards, Greg Rosenberg, a security engineer at security vendor Trustwave who advises customers on compliance, But “as you become a bigger organization PCI compliance becomes a baseline, a starting point. It’s not the be-all or end-all.”
For example, he said, one requirement is that organizations have passwords for accessing systems with customer data with at least seven alphanumeric characters. “That would probably not cut the mustard for a larger organizations for the payment system or a critical server,” he said.
PCI 3.0 has many important changes, he said, “but you need to be able to perform a risk assessment to understand the gaps between compliance and true risk.
As of Jan. 1, merchants, Web sites and service providers dealing with credit, debit and certain gift cards with cash value will have to prove their data systems can meet the standard. PCI council founding members — American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. — can discipline parties that can’t prove they comply, usually through fines. So there’s pressure on merchants and service providers who want to be able to process credit/debit cards to be in their good books.
The problem, complain a number of security experts, is that some organizations check off on a list that they have a firewall, for example, but there is no obligation in the standard to prove the device is properly configured. Once a year an organizations certifies it’s compliant, they complain, and the rest of the year it’s not important. On the other hand Troy Leach the PCI council’s chief technology officer, has been quoted by CIO.com saying the standard demands “continuous monitoring of the environment. It’s not about being compliant for two months and then taking 10 months off.”
Still, Rosenberg noted PCI DSS 3.0 has important changes, some of which may be a surprise to merchants and service providers — although the incoming standard was released 11 months ago giving lots of time for preparation:
–Organizations that have to comply still aren’t mandated to segment network that handles payment card data from the rest of the corporate network, although its a good best practice. However, those that do segment their networks will now have to prove the way it’s been done offers adequate protection. The standard also mandates that the person testing the system cannot be the one who manages or administers the system.
“It’s a really important change people will want to be aware of,” said Rosenberg.
–Many e-commerce sites don’t process payment card data themselves. Instead they contract it out to specialty service providers. When a customer goes to pay for an item, they are shifted to the service provider. Under the existing PCI standard, the merchant doesn’t have to do very much to meet complance, said Rosenberg — for most of requirements deal with internal policies and procedures.
Under PCI 3.0, they might have to erect firewalls, prove they conduct security scans and do penetration tests. The new rules “will be a shock to some of thse merchants,” many of whom thought responsibility shifted to the third parties doing the processing.
–Those third party service providers — which may include Web hosting companies, payment gateways and managed security providers — will have to show which PCI requirements they are meeting.
This will help those merchants using third parties to better chose a supplier, Rosenberg said.
–Many organizations who have to comply with PCI DSS have used automated tools for penetration testing. Not any more. Under version 3.0 affected parties have to follow a formal testing procedure.
–Service providers that remotely connect to a merchant for network management will be forced to show they are using two-factor authentication, and there is a unique password for each PCI customer. That should at least slow down hacking attacks, Rosenberg said.