Q&A: New PCI Standard Cuts WEP, Courts Flexibility
Today is the day that the latest iteration of the PCI Data Security Standard, version 1.2, officially hits the streets, and eWeek Security Watch was recently offered the unique opportunity to sit down with Bob Russo, General Manager of the PCI Council, to chat about what the new version of the standard means, and how the entire effort to develop and enforce the mandate is progressing.
For those in the dark, PCI DSS is the security standard issued to all companies processing credit card data by the world's largest card issuers (Visa, Mastercard, AMEX and Discover - who are also the companies that make up the Council) to foster improved security of their customers' financial information and to try to slow down the worldwide online credit card fraud and ID theft epidemics.
First launched in Dec. 2004, the standard has now gone through several updates, and has also been incrementally pushed down the food chain from large enterprises to smaller retailers, and it is also being rolled out around the globe.
And while some critics still claim that PCI DSS is ineffective at protecting electronic data and merely makes it harder for retailers and the like to do business, other industry watchers have praised the effect that the standard has had in improving security throughout the credit card ecosystem.
Specific changes in version 1.2, the first major update to PCI since Sept. 2006, include orders for companies running wireless transaction systems to abandon Wired Equivalent Privacy, or WEP, encryption technology in favor of more contemporary Wi-Fi Protected Access, or WPA, protection, as well as some rule changes aimed at giving affected companies more flexibility, and more time, to patch their various electronic systems.
According to Russo, the enduring hallmark of the 1.2 revision will be that its modifications have been driven specifically by feedback derived from the very businesses it aims to address, making it more relevant and effective.
SecurityWatch: How do you feel that participation has been overall, in terms of affected companies truly working to comply with PCI-DSS?
Russo: Participation has actually been terrific, for instance, we're expecting over 500 participants at the PCI SSC North America Community Meeting in September, compared to 325 one year ago, and at our European Community Meeting in October, our first official EU event of its kind, we already have 150 people coming. And this includes a lot of qualified assessors and solutions vendors, along with companies interested in learning more about what is expected of them.
SecurityWatch: What has the feedback been like around 1.2 so far?
Russo: I'd say that it's been largely positive. We didn't want to surprise anyone with any part of the revision; so, we made sure to let people know well in advance of what was coming. Really, not a lot has been changed, just a snippet of the overall standard, and a lot of it was eliminating things that were seen as too subjective and clarifying points that we'd been told were confusing.
SecurityWatch: What do you see as the most important element of the revision beyond those clarifications?
Russo: We wanted to put a stake in the ground regarding WEP, and really that doesn't constitute a ban until after 2010, so, we are trying to make things as easy on those affected as possible. Some people are happy and of course others are concerned, specifically about the costs if they've invested heavily in WEP, but, ultimately we felt that WEP needed to go.
SecurityWatch: The thing you often hear about security standards is that the individual requirements are either too prescriptive or too vague, how has the PCI Council tried to strike a balance in that sense?
Russo: As much as people will tell you that they don't want prescription, they will typically end up asking you what you want them to do more specifically. What we're doing to make this as little of an issue as possible is use the community as a sounding board to see what they want us to do, and we're often told by these companies affected by PCI that they're tired of the ambiguity in other standards including SOX and GLBA. We're trying to be as sensible as possible in approaching this entire process and engaging the community to get their feedback.
SecurityWatch: The PCI Council has also been incrementally moving the standard down the stack, and now that it is moving to force tier 4 companies to comply, you're dealing with much smaller businesses that have far fewer IT security resources. How are those companies handling this whole process?
Russo: It is a big education process with the smaller companies, and some are still only finding out about [DSS] from the credit card providers, but, it will be more unfortunate if they find out why we need to do this the hard way, because a data breach could be far more damaging to a small business than a large one in some senses. It is an ongoing process and we're working to communicate with these companies more directly, but it also behooves them to educate themselves and understand how they need to move to comply over time.
SecurityWatch: What types of negative feedback have you been getting in general?
Russo: Wireless remains a big concern, and there is also the issue of pre-authorized transactions, say at a gas station pump, and how that data needs to be handled, but we're working on those things as we speak, as in the case of WEP in 1.2. Overall you wil always get some negative feedback about certain requirements or from certain verticals, but really, those most concerned have the chance to voice their opinions in the community so we're actively trying to engage people in the development of the standard, and that helps cut down on the negativity quite a bit.
SecurityWatch: Do you feel that with 1.2, PCI is now a mature security standard?
Russo: From what we're told by a lot of people, many feel that PCI is actually the best standard out there in terms of its levels of prescription. We also think that companies that are becoming compliant are seeing fewer breaches, and there's no stronger evidence of doing things the right way than that.
SecurityWatch: People have said that Hannaford Brothers were certified as PCI compliant before their breach, what are your thoughts on that?
Russo: No one knows if they were compliant or not, they haven't shared all the information so no one can say for sure. But, what we do say is that even once you have got your certificate, you have to work to remain compliant, you can't just put it in a drawer and sit back and assume that you're safe.
SecurityWatch: I've heard some rumblings about inconsistency among the Qualified Security Assessors (QSAs) who are certified to complete PCI compliance reviews. How are you handling that issue?
Russo: We're doing everything that we can to ensure that these is consistency in the training for these providers, we're testing them and doing background checks to ensure that they are the right people to do this work. We've launched a quality assurance program for all of the QSAs and all the qualified automated scanning vendors (ASVs). We're making sure that all of these companies are going through this process, submitting their documentation and showing how they do the work. Right now we feel there is a level playing field, but there will always likely be different opinions on that, as we've seen with other standards efforts.
SecurityWatch: How are efforts to expand PCI going outside of North America?
Russo: Well as I said we're really looking forward to our first EU community meetings. Beyond that, things have really ramped up in the U.K., and throughout the Nordic countries. We have had some issues with pushback, but that is to be expected and things are coming along and we're getting more members onboard. One major issue is that [chip and pin] systems have been more widely adopted in Europe, but from a security standpoint, those aren't a great solution, so, we're trying to educate around that and have discussions with people about the technological details. That dialogue is advancing all the time. And things are moving forward in the Asia-Pacific region as well, more people are getting involved all the time.
SecurityWatch: What are your biggest concerns about DSS and its application over the next several years?
Russo: We're always concerned about new attack profiles for obvious reasons. Right now we're confident that we're reasonably well-covered with the things we know about, but there is always something new emerging with the evolution of technology. We're concerned about companies that were certified as compliant being breached. We really do think that is unlikely if they maintain their controls, but, that is the sort of thing you always worry about with this type of an effort. We don't want to spring things on people, but some new type of attack or vulnerability could come along, but that's something that we'll always have to deal with.
SecurityWatch: What do you see in the future in terms of how PCI DSS will continue to evolve?
Russo: Well, of course we hope that improves over time. It does seem to be branching out, sort of like a spider, with a lot of different arms and areas of interest, and we will continue to court the community's input every step of the way. We will address applications, ATMs and kiosks, and there will be additional hardware and software modules introduced, but I don't think that any of this is too hard to predict. It will become broader, and likely more prescriptive, over time. We'll have to adjust to new emerging technologies, and hopefully compliance will get cheaper as well. Basically, we want it to be the best standard out there, one that others use to model their own efforts. But, we already see that happening.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.