Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Subscribe
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Subscribe
    Home Cybersecurity
    • Cybersecurity

    EMV Among the Missing Pieces of PCI DSS 3.0

    Written by

    Sean Michael Kerner
    Published December 17, 2014
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      On Jan. 1, 2015, the Payment Card Industry Data Security Standard (PCI DSS) version 3.0 formally goes into effect, ushering in a new era of compliance specifications to secure payment card data. The PCI DSS 3.0 specification was approved in December 2013, giving retailers and those who handle payments a year to get ready.

      The PCI DSS 3.0 specification includes many improvements and process clarifications from the PCI DSS 2.0. With PCI DSS 3.0, there is a clear focus on making security an ongoing process, as opposed to just a once-a-year activity with checkbox items for compliance.

      Although there are many different requirements in PCI DSS 3.0, some items that are part of secure payment deployments are not part of the specification. One of the most often talked about security improvements for payments, especially in the United States, is the use of chip-and-PIN credit cards, also known as EMV (Eurocard Mastercard Visa).

      Although EMV is considered by many to be a security improvement over magnetic-stripe-based credit cards, PCI DSS 3.0 does not mandate the use of EMV—and likely never will.

      “PCI DSS 3.0 is mute on EMV, and the reason [is that] EMV is essentially an anti-fraud mechanism,” said Greg Rosenberg, security engineer at Trustwave. “PCI DSS is a mechanism to prevent card data from being stolen,” he told eWEEK.

      Speaking metaphorically, Rosenberg compared PCI DSS and EMV to peanut butter and jelly. He added that there is some degree of collaboration across the standards bodies that govern PCI DSS and EMV, and both groups understand that using the two standards together is powerful for security.

      “I think that EMV has been mislabeled in terms of its data security potential,” Rosenberg said. “It’s a great tool that largely focuses on increasing the cost of replicating a card if it is stolen.”

      The EMV specification does not deal with card data security after the card data has been captured by a point-of-sale (POS) device, Rosenberg said. In contrast, that’s the area where PCI DSS is strong, helping to provide guidance and best practices for securing the card holder data.

      “EMV, used properly in the right context will be a great anti-fraud mechanism,” Rosenberg said.

      Nicholas Percoco, vice president of strategic services at Rapid7, noted that PCI DSS has never had an emphasis on the actual types of payment cards that merchants should accept. Payment card technology discussions are held at the card brand and card issuer level, he added.

      “As new technologies come in like EMV and Apple Pay, PCI DSS will continue to evolve to secure payment card data,” Percoco said. “But as far as I know, PCI will not call out the use of EMV; that activity only comes out of direct mandates from the card brands.”

      EMV use in the United States is set to grow in the coming year, with a recent report forecasting that up to 70 percent of U.S. credit cards will have EMV chip-and-PIN technology by the end of 2015.

      Penetration Testing

      While the overall PCI DSS 3.0 specifications are effective Jan. 1, not all of the requirements in the new specifications go into effect on that date. Among the delayed PCI DSS 3.0 requirements is one for enhanced penetration testing.

      EMV Among the Missing Pieces of PCI DSS 3.0

      “Penetration testing has been required in previous PCI DSS versions and is still required with PCI DSS 3.0; the difference is the methodology,” Percoco said.

      Percoco explained that, in the past, there was no clarification about whether card holder data is isolated and segmented away from the rest of an organization’s corporate environment. He added that there wasn’t a scope requirement for what the penetration environment needed to look like. Percoco said that the more effective way to test an environment is to perform a penetration test from outside of where the card holder data is stored, which could even be in the corporate section of an organization’s network.

      “There have been data breaches where the attackers gained access to the corporate environment first and then used that as a base to attack the card holder data,” Percoco said. “Simulating that kind of attack is extremely important.”

      The new penetration testing methodology requirement goes into effect July 1, 2015. Percoco said that the reason for the new penetration testing requirement is likely due to the costs involved in executing the new type of testing. “Money is typically the driver around delayed requirements,” Percoco said.

      If an organization is certified to be PCI DSS 3.0 compliant on Jan. 1, they do not need to meet the new penetration testing requirements until they recertify. Any PCI DSS 3.0 certification done on or after July 1 will, in fact, need to comply with the new penetration testing requirements.

      Trustwave’s Rosenberg noted that in the past many merchants most likely just ran a basic scan, called it a penetration test and then checked it off the list for PCI DSS compliance.

      “The new penetration testing requirements in PCI DSS 3.0 are now also more impactful because it applies to more merchants that had never previously done penetration testing,” Rosenberg said. “Namely, any merchant that segments their environment now has to do a penetration test to prove that the segmentation is adequate.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and writer for several leading IT business web sites.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.