PCI Security Standards Council (PCI SSC) has published version 3.0 of the PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) for storage and processing of payment card data. Taking effect from PCI 3.0 takes effect from January 1, 2014 with an objective of moving the industry from mere compliance to a comprehensive security approach to payment card security.
Some requirements of PCI 3.0 involves putting in measures for card skimming and point-of-sale; secure coding practices; and the use of unique authentication credentials. Closer attention will now be paid to the physical point-of-sale (POS) systems to deter card skimming. Formal assessments for PCI compliance by Qualified Security Assessors (QSA’s) will now include questions about the merchant’s programs to educate personnel on the threat of card skimming and fraud.
“The No. 1 thing to work on is the need to be aware of security throughout the organization and to educate across the enterprise so that everyone shares the responsibility to protect cardholder data,” said Troy Leach, CTO at the PCI Security Standards Council, in an interview. “The technology evolves, but the people and processes inside the organization remain the same. So we need ongoing awareness about accepting and storing cardholder data so that we can come together as a community to ensure the security and safety of that data.”
“We have an underlying aim to make PCI a little more user-friendly than it was,” said Bob Russo, general manager, PCI SSC. “We want to increase education and awareness, and we want to be more flexible. And especially for smaller merchants that outsource many of their applications, we want to stress that security is a shared responsibility, even if a third-party is doing data storage for you.”
The Open Web Application Security Project (OWASP) has done a good job of outlining application vulnerabilities associated with PCI. Many software developers working on PCI standards are however uninformed of the best practices outlined by OWASP. This leads to insecure coding practices resulting in applications that allow criminals to easily access customer data at POS systems. PCI 3.0 now requires developres to verify the source code’s integrity in order for the application to withstand well-known security flaws.
“What we’re seeing through all of the breach reports, technology moves on and things get more complex – but the basic exploits are still being used and used successfully, like SQL injection and password issues,” Russo said. “If we can move the needle a little even on the default password problem, then we’re way ahead. So we still have to deal with the low-hanging fruit even as more ingenious ways of stealing data are created.”
Version 3.0 requires vendors to use unique authentication credentials for each customer for each merchant environment. Certificates, security tokens and smart cards linked to an individual accounts will now be restricted to the intended user. In the event of a data breach, if a hacker gains access to one account, this makes it hard for them to access the details from other accounts within the environment.
PCI 3.0 also makes distinctions on how to tackle malware. The Council advises that continual evaluation of malware threats should be conducted for all systems, even those that aren’t commonly affected.
“This new version incorporates more context than ever before as to how merchants can meet the requirements as they’re written,” said Leach. “That’s going to be a big improvement. We recognize that the merchants are aware of their responsibility – but they may not be as aware as they should be of how to best handle card data.”