For anyone taking electronic payments, the Payment Card Industry Data Security Standard (PCI-DSS) is a critical must-have compliance component in order to do business. Currently the standard is at the PCI-DSS 2.0 level. The new 3.0 standard is now in development, bringing with it policy and procedural changes that will impact the security of the entire electronic payment ecosystem.
“This new PCI-DSS 3.0 version will bring PCI into line as a business-as-usual activity,” Bob Russo, Payment Card Industry Security Standards Council (PCI SSC) general manager, told eWEEK. “We want to try to get people out of the habit of thinking of PCI-DSS as a once a year event and then not thinking about it, because that’s where we see the breaches happen.”
PCI-DSS has sometimes been thought of as just a compliance activity, where a box indicating a point-in-time level of compliance is checked, after which they just move on. Russo stressed that in the new PCI-DSS 3.0 standard, there is an emphasis on education and policy, to make payment security an everyday item and a discipline that is always maintained.
Troy Leach, CTO of PCI SSC, explained to eWEEK that there is a real emphasis in the new standard on the process of making things secure. When it comes to PCI-DSS testing, the testing is now intended to make sure that the process is secure, rather than just making sure a company has a specific security technology in place.
“We have incorporated policy and ongoing risk assessment throughout the standard,” Leach said.
What that does, especially in large organizations, is it helps to achieve more consistency around process-oriented controls. There is also more of an emphasis on having an ongoing responsibility that extends beyond just the point-in-time when a PCI-DSS audit takes place.
“The question that the new standard will help merchants to answer is, ‘Do we have the culture to protect our customers’ cardholder data every day and every hour that we’re doing business?'” Leach said.
Although there is an emphasis in PCI-DSS 3.0 to think of the standard as more than just point-in-time compliance, the new standard does not in fact require greater audit frequency than the PCI-DSS 2.0 standard.
“There is no requirement for more reports than an annual validation, but that’s just a snapshot in time,” Leach said. “What we’re hoping with this is that, through the process, there is more regularity of checking by the merchant as the environment changes.”
One area where PCI-DSS has been criticized in the past is the lack of clarity around its provisions. For example, the standard might require an organization to deploy a Web Application Firewall (WAF), but has not always detailed the proper configuration of the firewall or even why it’s needed in the first place. That’s a criticism that the PCI SCC has heard loud and clear from its members and so is set to improve in the new standard.
PCI-DSS 3.0 Security Compliance Gets Stronger
In previous versions of the standard, there has always been two columns that explain a given security control requirement. The first column identifies the requirement, and the second column details the testing procedures. With the PCI-DSS 3.0 standard, there will now be a third column, in which, Leach explained, the standard will aim to provide real-life examples of the risks that the security control is trying to mitigate.
For example, with a WAF, the new standard will explain what that technology should be able to do as well as detail the types of risks that it helps to mitigate.
One key area of change in the PCI-DSS 3.0 standard has to do with passwords. PCI SCC has done some research into password strength over the last three years, which helped inform the new requirements.
“Passphrases can have equivalent strength to short alphanumeric passwords,” Leach said.
With a passphrase, a phrase (e.g., “johnny walked the dog”) is used including spaces as an alternative to single password. There is still a requirement in the new standard that at the minimum, passwords need to be seven characters and alphanumeric, but there is also the option to now use a passphrase as an alternative.
A key area of concern in recent years with PCI-DSS has been its applicability to cloud environments. Simply put, it’s not enough for a merchant to host its operations on a PCI-DSS-compliant cloud and expect to be safe.
Leach stressed that in the PCI-DSS 3.0 standard there is an emphasis on the theme of shared responsibility. That is, the merchant and the cloud provider need to work together and have agreements in place so that areas of responsibility are understood.
The PCI-DSS 3.0 standard is currently in its final phases of development. PCI SCC will have a series of community meetings over the next several months to further refine and tweak the specification, according to Russo. The final standard will be published in November and will then become effective on Jan. 1, 2014.
Although PCI-DSS 3.0 becomes effective in January, existing PCI-DSS 2.0-compliant vendors will have a one-year grace period to move to the new standard.
“The changes we are making in the new standard were based on feedback we received and the challenges we see,” Russo said. “We believe we are now making the standard stronger.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.