The upcoming Version 3.0 of the Payment Card Industry data-security standard (PCI) is being billed as having more than a few tweaks but not wholesale changes from the three-year-old Version 2.0 that it will replace in November.
“It’s a medium-sized change,” says Anton Chuvakin, research director, security and risk management, at Stamford, Conn.-based technology research and consulting firm Gartner Inc.
Chuvakin was one of about 1,300 security and tech professionals, a record, who attended the annual North American “community meeting” of the PCI Security Standards Council in Las Vegas this week and saw a draft of Version 3.0. The chief focus was on learning about the upcoming changes in the main PCI standard, the first since the Wakefield, Mass.-based PCI Council switched from a two-year to a three-year upgrade cycle.
PCI compliance is mandatory for all merchants and payment processors that handle general-purpose credit and debit cards, though small merchants continue to lag in getting up to snuff. The coming upgrade will look familiar in that it will retain 12 major requirements. But there will be plenty of changes, some of greater importance than others, in many of the 200-plus sub-requirements.
“We recognize that the changes in 3.0 are going to be much more significant than from [versions] 1.2 to 2.0,” PCI Council chief technology officer Troy Leach tells Digital Transactions News.
One of the biggies, according to Leach and PCI Council general manager Bob Russo, involves more language to make third-party service providers more accountable for data protection. Service providers account for a disproportionate share of data breaches that compromise consumers’ card data because they often configure merchants’ payment systems with default passwords, fail to install software patches when needed, or take other security shortcuts.
The standard also gives more guidance on how to look for malicious tampering and other activities that may have compromised a point-of-sale terminal. The upgrade also will reinforce the concept of security as “business as usual” for entities that handle card data rather than considering PCI compliance something to do once a year to pass an audit, says Russo.
Gartner’s Chuvakin says Requirement 11, which addresses system testing, has improvements, including more guidelines about penetration testing. Such tests probe a network for flaws, and Version 3.0 calls for them to be done from both within and outside the network. “That’s a great idea,” he says, though he notes that extensive penetration testing could be a costly for small e-commerce merchants.
In addition, changes in Requirement 6 governing system and software security could place new burdens on software developers and qualified security assessors (QSAs) that do PCI audits. QSAs, for example, will be required to hunt for more hard-to-find flaws such as so-called “memory leaks,” according Chuvakin. He says “these are legitimate issues” but “many QSAs simply will not be able to judge some of the things. It’s not something a QSA can easily determine.”
Leach says much of the focus on improving software security involves volatile memory, which is for short-term data storage. The idea, he says, is not to make life difficult for QSAs but to improve software when it’s created instead of having to go back to developers for fixes when flaws are found, especially as mobile payments grow.
“We recognized that what we want to do is promote the development of secure development life cycles for these products,” Leach says. “We have a brand new group of mobile-payment developers, we don’t want to repeat the mistakes we made with Web application developers.”
The PCI Council is still digesting the feedback it received during the North American meeting and could make more tweaks before the final standard’s scheduled Nov. 7 release date, according to Russo. The Council will have a European community meeting Oct. 29-31 in Nice, France, and in Asia, its first, on Nov. 30 in Kuala Lumpur, Malaysia.
n
n