Retailers must upgrade authentication, encryption and pen testing

The PCI Security Standards Council now requires better authentication, encryption and penetration testing

The PCI Security Standards Council now requires better authentication, encryption and penetration testing by companies that accept consumer payments, improvements lauded by security experts.

"There are a lot of people who consider compliance to be policy for policy sake," said Ryan O’Leary, vice president of the threat research center at WhiteHat Security. "But with these three recommendations, it is really security-industry standards that are finally being forced upon companies. I would say, absolutely, it will move the bar forward as far as security goes."

Administrators with access to card data must now have two-factor authentication when they log in, either locally or remotely.

Previously this requirement applied only to remote access from untrusted networks.

"A password alone should not be enough to verify the administrator’s identity and grant access to sensitive information,” said PCI Security Standards Council Chief Technology Officer Troy Leach in a statement.

"We totally think that this makes sense," said Chase Cunninghman, director of cyber threat research at Armor Defense. "Everyone here has multi-factor on every system, all all times, PCI or not."

But from his experience, it's rare to see companies currently using two-factor authentication on all vulnerable systems, he added.

[ ALSO ON CSO: How to ensure PCI DSS compliance when dealing with message queues ]

"The use of two-factor authentication for access into financially significant environments is something we’ve been advocating for almost 10 years," added John Bambenek, threat systems manager at Fidelis Cybersecurity. "The tools that can do this are reasonably priced, and this will force the issue of actually implementing it."

Active penetration testing

Previously, passive vulnerability scans were sufficient to comply with the PCI requirements. Under the new rules, however, active penetration tests will be mandatory.

"Requiring actual penetration tests, versus scanning, is a great leap forward," said Bambenek. "Static vulnerability scanners can miss a great deal, and the move to penetration tests shifts the focus from retrospective testing to what an attacker can actually do."

There have been a number of security vulnerabilties associated with SSL -- secure socket layer encryption -- over the past few years, said WhiteHat's O'Leary.

Some browsers and servers are still using old, outdated versions of these standards.

"You need to get rid of those old versions, and not allow any downgrade attacks," said O'Leary. "Just get rid of them altogether."

In addition, while upgrading from SSL to TLS, he recommended jumping directly to the latest, most secure version, instead of the minimum TLS 1.1 required by the PCI. Currently, the latest version is TLS 1.3.

Companies have until February 2018 to comply with the authentication and penetration testing requirements, and until July 2018 for the TLS migration.

Needs to go further

The only complaint security experts had with the new guidelines was that they didn't always go far enough.

Stolen credentials are a factor in 63 percent of all confirmed data breaches, according to the latest Verizon report.

"Basic two-factor authentication would mitigate an entire swathe of these breaches," said Bryan Sartin, executive director, global security services at Verizon.

"The new PCI standards fall far short of actually improving the security of cardholder data," said Brian NeSmith, CEO at Arctic Wolf Networks.

As with many compliance requirements, the process of creating new standards is lengthy and they wind up lagging behind what the criminals are doing.

"What the industry really needs is to improve its threat detection and response capabilities in order to catch the bad guys before the damage is done," NeSmith said.

Fidelis' Bambenek added that there are other threat vectors that are also not adressed with the new compliance requirements.

"It would be hard, for instance, to see how the prevalence of POS malware will be affected by these changes," he said. "Consumer data will still not be safe."

Join the CSO newsletter!

Error: Please check your email address.

More about CSOTechnologyVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place