Stronger Compliance with PCI-DSS 3.0
The compliance and security world is abuzz with recent announcement by PCI Data Security Standards Council that PCI-DSS 3.0 will be published in November and will become effective on Jan 1 2014. This may have a broad impact on how e-commerce is secured. PCI-DSS 2.0 has been used as baseline compliance standard to protect cardholder data in retail, banking and call centers worldwide. It must be implemented by all entities that process, store or transmit cardholder data. The current PCI-DSS version, 2.0, relies on 6 ‘Control Objectives’ that are explained below:
- Building Secure Network: Perimeter Security and Password Strength.
- Cardholder Data Protection: Data Storage, Encryption and DLP.
- Vulnerability Management: System security and Anti-virus requirements.
- Access Management: Tokenization, Access control and physical security.
- Monitoring: Monitoring and testing security controls.
- InfoSec Policy: Create and maintain an information security policy.
Current PCI-DSS standard have often been criticized as not providing any real security nor being as comprehensive as other compliance standards like ISO 27001. It is usually treated as a once-a-year event, where organizations get certified and then do not think about it. This is where most of the security breaches happen.
PCI 3.0 should play a larger part in eliminating these shortcomings. One area where things will get better with PCI 3.0 is that instead of just specifying ‘What needs to be done’; it will also say ‘How it should be done.’ For example, in current version of standard, there have been two columns to explain a security control, one that details the requirement and second explaining testing procedure. The new version will include a third column that will provide samples and configurations on how a real problem could be mitigated. PCI 3.0 will also allow usage of passphrase instead of an alphanumeric password.
PCI-DSS 2.0 also doesn’t provide any guidance around emerging technologies like Cloud and Mobility platforms. In fact, current guidance (issued last year) for cloud technologies indicates not to use it at all. This doesn’t help organizations that plan to leverage these emerging technologies for scalability, availability and cost-optimization. Also, it's not enough for a merchant to host its operations on a PCI-DSS-compliant cloud and expect to be safe. The PCI DSS 3.0 standard emphasizes the theme of shared responsibility. Merchants and cloud service providers should work together and have SLAs in place so that roles and responsibilities are well understood.
One final word of caution for merchants that are currently PCI-DSS certified: the new standard will require some additional work to reach compliance. Instead of focusing on checkbox compliance exercises once a year, PCI-DSS 3.0 will need focus on incorporating policy and ongoing risk assessment throughout the year, similar to ISO-27001 compliance. Merchants will need to establish penetration testing and vulnerability assessment frameworks to ensure compliance throughout the year. This will help in achieving consistency around process-oriented controls and responsibility that extends beyond last few days when audit takes place.