The Payment Card Industry-Data Security Standard (PCI DSS) has been around for many years. Regardless, we think it is worthwhile to review the history of PCI and explore current and future developments to better capitalize on the value-add of PCI.
PCI-DSS…a gleam in the eye of fraud mitigation
The PCI Compliance program began in the Payment Card Industry, which encompasses credit and debit cards, Point-of-Sale (POS) terminals, and card-not-present transactions. Industry players include the credit card brands, merchants, service providers who process transactions, card-issuing banks, and other third parties that play a role in payment processing.
At the center of PCI Compliance lies PCI-DSS. The PCI-DSS was born from the card brands’ struggle to mitigate fraud. By the 2000s, the five major card labels were losing hordes of cards and billions in funds to fraud. By 2001, the card companies independently developed security programs for merchants to follow.
These programs saw limited success because they asked merchants to adhere to differing standards. In 2004, the card brands created the PCI-DSS to provide unity in a single security standard. In 2006, the card companies formed a separate body, the Payment Card Industry Security Standards Council (PCI SSC) to administer PCI programs and maintain/write future standards.
Adherence to the requirements within the PCI-DSS is essential for demonstrating compliance. According to Verizon’s Payment Card Industry Compliance Report, the most compliant organizations are least likely to see breaches. The major card brands have determined that anyone who wants to do business using their cards must follow this standard. There are penalties for noncompliance particularly if you are victim of a breach. The card companies can fine a merchant and ban them from accepting their cards.
PCI compliance – State of the Union
The PCI-DSS v3.2 includes Designated Entities Supplemental Validation (DESV) criteria, which addresses oversite of PCI-DSS compliance programs, scoping card data environments, incorporating PCI DSS activities into “business as usual” practices, and setting up detection and alerts of security control failures.
Compliance with PCI security requirements is reported based on four merchant levels. Once the merchant, acquiring bank, or payment processor determines the correct level, the merchant will need to demonstrate compliance based on specific criteria using one of the available Self-Assessment Questionnaires (SAQs). They must submit the appropriate SAQ and its associated Attestation of Compliance (AoC) to their acquiring bank or merchant processor. They must also demonstrate via “clean” vulnerability scans every 90 days that they have a program in place to continuously address vulnerabilities to their internet-facing systems. A PCI-SSC-approved scanning vendor must perform these scans.
The PCI-DSS is approaching a milestone in securing payment communications. The standard will finalize migration from the Secure Sockets Layer (SSL version 3) protocol to the Transport Layer Security (TLS version 1.2) protocol—a more secure encryption system—by June 30, 2018. Also, in 2019 the PCI SSC is scheduled to release version 4.0 of the PCI DSS.
The future of alternative payment methods such as mobile payment apps (i.e., Apple Pay) and monetary systems such as Bitcoin will impact the future of payment processing security. Some 89% of retail transactions still happen in stores in the U.S. with most people using credit and debit cards, so the need for the PCI DSS is not likely to disappear too soon. PCI will remain relevant for at least the next ten years while the lion’s share of transactions continues to use these cards. The PCI-DSS may retain or increase its value by evolving new standards that address alternative payments and systems as these demonstrate vulnerabilities to fraud.
Warning! Compliance does not equate to security
Complying with the PCI DSS alone does not equal security. Organizations have valuable information besides payment card data such as Intellectual Property. Compliance with the PCI DSS alone will not necessarily defend your business against attacks on these targets using these vectors.
Following the steps to meet PCI Compliance and remaining compliant have apparent rewards. The best approach is to treat compliance efforts like a continuous program rather than a once-per-year project. For example, the PCI DSS requires you to capture logs and review them every day. The PCI-DSS also requires other activities on a weekly, monthly, or quarterly basis that you cannot ramp up at the last minute.
Automating security activities is essential for most companies to manage the tasks required to comply with the PCI DSS effectively, and if used as a framework for your cybersecurity program, for the security of the entire organization. See how Nehemiah Security can help you meet, manage, or track numerous technical security requirements from the PCI DSS – contact us to learn more.
About the author:
Jeff Man is a respected Information Security expert, adviser, evangelist, and co-host on Paul’s Security Weekly. He has over 35 years of experience working in all aspects of computer, network, and information security, including risk management, vulnerability analysis, compliance assessment, forensic analysis and penetration testing. Previously he held security research, management and product development roles with the National Security Agency, the Department of Defense and private-sector enterprises and was part of the first penetration testing “red team” at NSA. For the past 20 years, he has been a pen tester, security architect, consultant, QSA, and PCI SME, providing consulting and advisory services to many of the nation’s best known companies.