PCI DSS 3.0 compliance deadline approaches. Will it make any difference?

Don't expect credit card security or lack of it to be magically transformed when the new year dawns on Jan. 1, 2015, the deadline for compliance with the Payment Card Industry Data Security Standard (PCI DSS) 3.0.

The standard, which sets security requirements for all companies that access, store or transmit cardholder data (CHD) and personally identifiable information (PII), was published nearly a year ago, on Nov. 7, 2013, and has technically been in effect all of this year.

Yet high-profile breaches of credit card data continue with alarming regularity.

Retailer Target suffered one of the largest breaches in history 40 million credit card numbers and 70 million personal information records last December, less than a month after the latest version of the standard was published.

[PCI DSS 3.0 is an evolution, not a revolution]

More recently, P.F. Chang's, the thrift store operations of Goodwill Industries International and Supervalu, owner of hundreds of grocery and liquor stores, have been successfully hacked.

Supervalu said there was also a related intrusion into stores it sold in March 2013 to Cerebus Capital Management but still provides with IT services, including Albertsons, Acme, Jewel-Osco, Shaw's and Star Market.

But in spite of that sobering reality, analysts tend to agree that the new standard (see sidebar below) provides a blueprint for best practices that, if observed in a "business as usual" way, will prevent most breaches.

Indeed, Bloomberg Businessweek reported in March that if Target had been more observant, it could have prevented the historic breach. The company was prepared for an attack, with a $1.6 million malware detection tool made by security firm FireEye, but failed to respond to its warnings.

"As (hackers) uploaded exfiltration malware to move stolen credit card numbers ... FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis. And then ...( nothing happened," Bloomberg reported. "For some reason, Minneapolis didn't react to the sirens."

Those warnings came before the hackers had transmitted any of the stolen data, which means the company could have avoided more than 90 lawsuits, expenses that could reach into the billions, a staggering loss of market share and brand damage if it had simply responded to its compliant system.

Bob Russo, general manager at the PCI Security Standards Council (SSC), which develops and publishes the standards, has a measure of sympathy for Target. He said he has multiple layers of security at his three-family home in New York City. "We checked all the boxes," he said.

Yet, at 5 a.m. one morning, "somebody pranced in and walked out with laptop. Thankfully it was encrypted," he said. "But how did that happen? We forgot to do something the night before."

And that, he said, is the point: Security standards can only be effective if a company is in compliance all the time. That comports with a long-time mantra of security experts, that "compliance is not security," especially when companies scramble to meet compliance standards for a yearly audit, but then let things slide until the next audit is approaching.

John Shier, who blogs for Naked Security, agrees, but said that "snapshot compliance" remains a problem with the new standard.

Shier, who conducted a mini-debate with himself earlier this year with dueling blog posts over what he considers the successes and failures of the new standard, contended in the "Why it fails" post that, "one of the greatest failures of the PCI DSS is its compliance-as-a-snapshot nature."

The standards do have a, "business-as-usual recommendation," he wrote. "But that's all it is a recommendation."

[Passing PCI firewall audits: Top 5 checks for ongoing success]

Not so, contends Troy Leach, chief tech officer of the PCI SSC. "We hear that all the time," he said, "and we wonder, Have they actually read the standard?' We've been very proactive in the continuous security approach they are requirements."

Leach said the council has, "published a couple of documents along that line. You're going to fail if you're looking at getting just a snapshot of compliance," he said, adding that the standard explicitly calls for, "continuous monitoring of the environment. It's not about being compliant for two months and then taking 10 months off."

That resonates with Christopher Strand, compliance consultant at Bit9, who said the new standard is a, "more direct approach to encouraging businesses to ensure that security controls are actually effective at protecting critical data rather than getting a check mark."

And Alphonse Pascual, practice leader fraud and security at Javelin Strategy & Research, said any organization that implements the standards fully would be, "an incredibly hard target for hackers."

But, there are mixed estimates about whether some merchants will be ready even for "snapshot" compliance by the deadline. According to the Verizon Business 2014 PCI report, only 10 percent of companies are passing their baseline assessment. On the other hand, Kurt Roemer, chief security strategist at Citrix, told Security Week recently that organizations are, "overwhelmingly ready for PCI DSS 3.0."

Leach said readiness generally depends on the size of the company. He said most of largest so-called Level 1 "are prepared and aware. The small ones, not so much."

Russo was a bit more emphatic. "Some of the SMBs (Small and Medium Businesses) don't know which end is up," he said.

That, they both agreed, means the council has to do more outreach and education. "We are working on how to bridge that," Leach said. "We're partnering with banks and merchant associations, we have an SMB web site and are looking at several other things this year."

[Collisions likely over PCI 3.0]

That outreach, and the move to include even the smallest merchants under the PCI DSS drew compliments from Joram Borenstein, vice president, NICE Actimize, who said while it is not perfect, "the council is quite logically attempting to level the so-called playing field by reaching out to smaller merchants with dedicated resources and options for those merchants."

Shier, in his "Why it works" blog post also praised the council for demanding the same security practices from small merchants as it does from large ones, and for providing help to those small companies in the form of a, "handy PDF guide aimed at smaller businesses," and lower-cost alternatives for getting compliance certification.

Even with that help, however, compliance will not be easy or cheap for smaller companies. Hardly any of them have the expertise to implement everything required for compliance without the help of a Qualified Security Assessor (QSA). Shier noted that while the standard allows smaller companies to do their own assessments, that would, "make as much sense as performing your own dental surgery.

"The PCI DSS contains over 200 sub-requirements," he wrote. "Each must be fully understood and correctly implemented in order to stay compliant."

Strand said the demands on smaller merchants are generally not as complex as they are for larger ones. But he said the expanded scope of requirements will have an impact.

One new element is that, "vendors must consider integrated systems and other connections into their credit card data environment that weren't traditionally considered in scope for PCI," he said. "This will probably create more confusion in interpreting the requirements of the standard."

And Rich Mogull, analyst and CEO at Securosis, who has been critical in the past of the standard, arguing that it is aimed more at protecting the credit card companies than merchants and customers, said he doubts the new standard will change things much, given the complexity and cost of compliance.

"There is more of a move to continuous compliance, but really that's not something most organizations are ready for," he said. "It will be interesting to see if anything changes."

If things do change, it may be at least in part because of increased awareness of the damage that a high-profile breach can cause.

"Data security has become a board-level topic of discussion," Borenstein said. "Executives recognize that the impact of a serious card loss breach can have a significant impact on customer perception, stock price, and more."

[PCI Council says government should stay out of payment card standards]

Russo said he hopes that fear will motivate companies to improve their security. "There are ways to prevent these things," he said. "When details of breaches come out, they show that most of them were caused by very simple mistakes, like default passwords."

That, he said, is neither difficult nor expensive to change. It just takes a different mindset. "I lock my car door every day, not just Monday, Wednesday and Friday," he said.

PCI DSS Requirements

The PCI Data Security Standard has 12 requirements to provide a "baseline of technical and operational requirements designed to protect cardholder data."

They are as follows:

Build and Maintain a Secure Network and Systems

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters 

Protect Cardholder Data

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Protect all systems against malware and regularly update anti-virus software or programs

6. Develop and maintain secure systems and applications     

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need to know

8. Identify and authenticate access to system components

9. Restrict physical access to cardholder data 

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for all personnel   

Join the CSO newsletter!

Error: Please check your email address.

Tags compliancesecurityGoodwill IndustriesdeadlineSecurity LeadershipCapitaSupervaludata protectionTargetPCI DSS 3.0

More about BloombergFireEyeJavelinNICESupervaluVerizonVerizon Business

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts