eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
On Jan. 1, 2015, the Payment Card Industry Data Security Standard (PCI DSS) version 3.0 formally goes into effect, ushering in a new era of compliance specifications to secure payment card data. The PCI DSS 3.0 specification was approved in December 2013, giving retailers and those who handle payments a year to get ready.
The PCI DSS 3.0 specification includes many improvements and process clarifications from the PCI DSS 2.0. With PCI DSS 3.0, there is a clear focus on making security an ongoing process, as opposed to just a once-a-year activity with checkbox items for compliance.
Although there are many different requirements in PCI DSS 3.0, some items that are part of secure payment deployments are not part of the specification. One of the most often talked about security improvements for payments, especially in the United States, is the use of chip-and-PIN credit cards, also known as EMV (Eurocard Mastercard Visa).
Although EMV is considered by many to be a security improvement over magnetic-stripe-based credit cards, PCI DSS 3.0 does not mandate the use of EMV—and likely never will.
“PCI DSS 3.0 is mute on EMV, and the reason [is that] EMV is essentially an anti-fraud mechanism,” said Greg Rosenberg, security engineer at Trustwave. “PCI DSS is a mechanism to prevent card data from being stolen,” he told eWEEK.
Speaking metaphorically, Rosenberg compared PCI DSS and EMV to peanut butter and jelly. He added that there is some degree of collaboration across the standards bodies that govern PCI DSS and EMV, and both groups understand that using the two standards together is powerful for security.
“I think that EMV has been mislabeled in terms of its data security potential,” Rosenberg said. “It’s a great tool that largely focuses on increasing the cost of replicating a card if it is stolen.”
The EMV specification does not deal with card data security after the card data has been captured by a point-of-sale (POS) device, Rosenberg said. In contrast, that’s the area where PCI DSS is strong, helping to provide guidance and best practices for securing the card holder data.
“EMV, used properly in the right context will be a great anti-fraud mechanism,” Rosenberg said.
Nicholas Percoco, vice president of strategic services at Rapid7, noted that PCI DSS has never had an emphasis on the actual types of payment cards that merchants should accept. Payment card technology discussions are held at the card brand and card issuer level, he added.
“As new technologies come in like EMV and Apple Pay, PCI DSS will continue to evolve to secure payment card data,” Percoco said. “But as far as I know, PCI will not call out the use of EMV; that activity only comes out of direct mandates from the card brands.”
EMV use in the United States is set to grow in the coming year, with a recent report forecasting that up to 70 percent of U.S. credit cards will have EMV chip-and-PIN technology by the end of 2015.
Penetration Testing
While the overall PCI DSS 3.0 specifications are effective Jan. 1, not all of the requirements in the new specifications go into effect on that date. Among the delayed PCI DSS 3.0 requirements is one for enhanced penetration testing.
EMV Among the Missing Pieces of PCI DSS 3.0
“Penetration testing has been required in previous PCI DSS versions and is still required with PCI DSS 3.0; the difference is the methodology,” Percoco said.
Percoco explained that, in the past, there was no clarification about whether card holder data is isolated and segmented away from the rest of an organization’s corporate environment. He added that there wasn’t a scope requirement for what the penetration environment needed to look like. Percoco said that the more effective way to test an environment is to perform a penetration test from outside of where the card holder data is stored, which could even be in the corporate section of an organization’s network.
“There have been data breaches where the attackers gained access to the corporate environment first and then used that as a base to attack the card holder data,” Percoco said. “Simulating that kind of attack is extremely important.”
The new penetration testing methodology requirement goes into effect July 1, 2015. Percoco said that the reason for the new penetration testing requirement is likely due to the costs involved in executing the new type of testing. “Money is typically the driver around delayed requirements,” Percoco said.
If an organization is certified to be PCI DSS 3.0 compliant on Jan. 1, they do not need to meet the new penetration testing requirements until they recertify. Any PCI DSS 3.0 certification done on or after July 1 will, in fact, need to comply with the new penetration testing requirements.
Trustwave’s Rosenberg noted that in the past many merchants most likely just ran a basic scan, called it a penetration test and then checked it off the list for PCI DSS compliance.
“The new penetration testing requirements in PCI DSS 3.0 are now also more impactful because it applies to more merchants that had never previously done penetration testing,” Rosenberg said. “Namely, any merchant that segments their environment now has to do a penetration test to prove that the segmentation is adequate.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.