Assessing the risk: preparing for PCI DSS v3.0
In August 2013 the PCI Security Standards Council (PCI SSC) announced the highlights of the forthcoming PCI DSS (Data Security Standards) version three requirements to enable organisations to start preparations ahead of the introduction of the standard in November 2013. The PCI DSS requirement is applicable to all businesses that currently store, process or transmit cardholder data in order to protect customers’ information from being compromised or stolen by cyber criminals. The standard, which was first established in December 2004, is broken down into 12 core security areas and is designed to provide guidance and help organisations take a proactive approach when securing cardholder data.
Yet in August 2013 the PCI SSC, when they released the ‘Data Security Standard and Payment Application Data Security Standard Version 3.0 Change Highlights’ document, stated that the implementation and maintenance by businesses has been the biggest stumbling block in achieving PCI compliance, and new standards are needed in order to provide better guidance on implementation, especially in light of increasingly complex business and technology environments. Whilst the recommendations address some fundamental security baselines they still do not address some of the pressing challenges including the need for a more risk-based approach, the challenges posed by mobile devices and the need for penetration testing.
When does version three come into effect?
Since the last update to the standard in 2010, where it was decided to change the development lifecycle from two years to a three-year process, the council has acknowledged that an additional year gives organisations longer to implement changes before a new version is released. With PCI DSS 3.0 set to be formally announced in November 2013, the new standard will have more changes to it than the previous incarnation, PCI DSS 2.0, with the core 12 security areas remaining the same. The updated standards will be effective as of 1st January 2014 but whilst organisations are encouraged to begin the process of implementing the new standard changes as soon as possible to enable a smooth transition, version 2.0 will remain active until 31 December 2014.
With cardholder data still remaining the top target for criminals, a fact corroborated by our 2013 Trustwave Global Security Report, the PCI SSC Change Highlights document stated that a lack of education and awareness around payment security as well as poor deployment and maintenance of the standards has led to many of the data breaches that occur today. Therefore, the updated standards are set to give more detailed guidance and clarification on how organisations can meet the requirements. This includes giving more flexibility, rather than being strictly prescriptive, in how the standards can be incorporated in a business’s everyday environment. PCI DSS 3.0 will outline stricter rules in how the requirements are tested and validated. The aim of this is to drive greater consistency amongst the Qualified Security Assessors (QSAs) by having very specific and rigorous procedures in place that clarify the level of validation that the assessor is expected to perform. By helping businesses understand the risks in the threat environment and how they can manage these evolving challenges, PCI DSS 3.0 is expected to give greater clarity on the intent of the requirements and smoothly align with the industry best practice guidelines.
Where are the gaps?
One of the biggest areas for improvement in the proposed standards is that of securing the Point-Of-Sale (POS) terminals. We found in our 2013 Trustwave Global Security Report that the common attack sequence included infiltration, propagation, aggregation and exfiltration. Whilst this sequence can be disrupted if companies implement a multi-layered security strategy, the standard does not go far enough in addressing the risks and threats that could affect the POS terminals themselves. The recommendations as suggested need more focus to be placed on how to secure the endpoints.
We are also seeing a growing trend for mobile endpoints replacing the traditional POS and yet no recommendations in the standard have been made in regards to how mobile endpoints should be assessed or be made compliant as the use of mobile devices becomes more popular. This is a huge area of growth and savvy cyber criminals know that this can give them not only cardholder data but reams of additional personally identifiable information such as security codes, email addresses, access to social networks etc. Moreover, our Trustwave security experts found that mobile malware increased 400 per cent in 2012, which further emphasises the importance of clarification on how to secure this payment method so that mobile devices are not vulnerable to further attacks.
Another area that needs clarification is the issue of third-party management and the age-old question of who holds accountability for the data. There should be a designated Subject Matter Expert within the organisation who has responsibility for this element and the scope – e.g. determining what system components are governed by PCI DSS – needs to be properly defined. Ideally this should be done to an industry standard in order for it to be successful and add value.
Control-based standard vs. risk-based approach
Another area of the standard that we’d like to see improved is the Risk Assessment (RA) piece of the puzzle as there continues to be insufficient detail on this crucial element of the equation. An RA is a crucial element as it is a process that identifies the weaknesses within a business that pose a potential risk to the organisation falling victim to a data breach. By having conducted an RA, an organisation can mitigate these risks in a timely manner to ensure minimum disruption. At the moment the guideline is for businesses to do just one RA a year but with organisations and technology changing so rapidly this is ultimately ineffective and is not a constructive way to analyse, manage and mitigate the associated risks to the business. We would like to see an increase in the number of risk assessments required throughout the year such as performing them quarterly or at least every six months as a minimum.
As it stands the PCI DSS 3.0 standard has a control-based approach and is quite prescriptive with set outlines and requirements that need to be met in order to achieve compliance. Whilst this is great for many emerging markets, many of whom were not even implementing a minimum set of controls, this is no longer sufficient for businesses that want to manage their compliance from a risk-based point of view.
If we were to come at this from a risk-based perspective the first item that would need to be addressed is the scoping of the environment, e.g. agreeing what system elements, people and processes are to be included in the PCI DSS assessment, which will need to be tightly defined. From there, the benefit of a risk-based approach is that it can evolve and identify risk and respond to emerging threats in a timely manner. There needs to be greater focus on agreeing and implementing an industry standard methodology, the frequency of assessments by a specified team, an ongoing risk treatment plan and who should be giving final approval of the assessments. In practice only industry-certified personnel should be performing the assessments and then they report into the person within the organisation that is held legally accountable for achieving and maintaining compliance and reducing risk. Moreover, it would be beneficial if emphasis was placed on the benefits that penetrations tests can offer organisations in identifying risks as they simulate known attack techniques and reveal any weaknesses in the company’s security. Frequent risk assessments and penetration testing helps give organisations a full overview of their security and where they need to make improvements.
Ultimately, there needs to be a program or separate standard for the risk-based approach, which can be updated more frequently to address the evolving threats and attack vectors.
How do you know if your QSA is the right one for the job?
The selection of the QSA, a company approved by the PCI SSC to conduct PCI DSS on-site assessments, is key in this whole process. There are a number of questions that businesses should ask when selecting a QSA. They include:
- Has the QSA had any Reports on Compliance (ROCs) rejected?
- Does the QSA have a legal department that has reviewed the report templates and ensured that they are up to standard?
- What assurances can the QSA organisation make?
Ensuring consistency within each of the assessments is key and is one of the greatest challenges facing organisations across the globe. As a certified QSA, we have an internal compliance review board that reviews cases and informs the customer if there are any changes to the timeline or costs for the customers.
2014: a new year for PCI Compliance
PCI DSS 3.0 should help businesses strengthen their security posture and give greater guidance to those businesses that are currently struggling to meet the requirements. However, work still needs to be done. Cyber threats are constantly evolving and therefore PCI DSS 3.0 needs to include security practices that help businesses stay ahead of criminals. By increasing the frequency of assessments and ensuring that businesses have a full overview of their security risks and environment it will enable them to reduce the risk of a breach and ensure continuous compliance with the PCI DSS 3.0 standard.
About the Author