If you haven’t heard the PCI Security Standards Council has put forward the newest version of its compliance measures, PCI 3.0.  The payment processing industry regulations come into effect Jan 1st and they cover some interesting new elements.  This latest update adds a number of new measures to address the ever evolving landscape of technologies that make up a number of payment processing scenarios.  From identity and authentication requirements, to updated assessment procedures, and new point-of-sale elements, the changes are significant enough to warrant not only a new version number, but they will also require that compliant organizations rewrite their policies and procedures.

Lack of mobile standards

The general industry response from the security community around these changes has been positive.  The standards first took hold back in 2010.  Some elements however have left some questioning whether the updated measures have gone far enough on a number of points.  We all know BYOD and mobility are increasingly adopted enterprise security reality.  This is no different in a merchant environment where many have or are taking advantage of this technology to unlock mobile payment options.  The PCI 3.0 regulations make no mention of mobile security.  Financial cybercriminals are aware of this increased trend of mobile payment systems taking place through mobile devices.  Be it Android, Apple iPad or Windows tablets – they are all enticing targets for those systems to be targeted in financial crime.  It is only a matter of time before devices like this get compromised on a large scale.   So the big question here is why did the PCI council leave this off?

For answers, we called on Greg Rosenberg, a security engineer for Trustwave, a Chicago-based firm which specializes in information security and compliance.  Rosenberg places this mobility gap as the biggest issue.  The threat vector from mobile poses real risks that need addressing.  According to the 2013 Trustwave Global Security Report, mobile malware continues to be a problem for Android and other devices; with the number of samples Trustwave detected growing 400 percent in 2012.  The PCI council did put out some best practices, but Rosenberg states that those practices do not do enough to be considered secure, and certainly not enough to be PCI compliant.  There is also the fact that there are many that will not be able to maintain a secure mobile platform without guidance.   Bad mobile practices can easily seep into the picture, ending up in confusion and some bad security scenarios in the end.  Officially it seems the PCI council left specific requirements for mobile off the list because the overall security posture of consumer-grade mobile devices is considered insecure by default.

Shortcomings

The list of criticism continues in other scenarios.  Rosenberg adds that the need for expanded security tools was also not addressed.  He also advocates for a more risk-focused approach rather than the methods that tend to turn businesses to a more checklist type of approach.  Using the checklist kind of approach could mean that gaps in security could exist, even though they have achieved compliance rather than focus on actual risks that the company faces.  Compliance enforcement is another issue as well as the definition of routine auditing.  While penalties for non-compliance do exist, these are typically levied by the card processing company.  That adds confusion that there is no grand oversight or consistency in how these non-compliance events occur.  When there is no central party overseeing this, it also means that non-compliance penalties are not widely reported.  So there’s a bit of an enforcement shortcoming there.

PCI and business relationships

Rosenberg also mentions how when organizations that become partners and PCI compliance comes into the picture, there is a flaw in the assumption that all is well because they are both compliant-rated organizations.  The problem with that is that there is too much variance in how organizations achieved compliance, what level of compliance they achieved and how they maintain compliance.  For example, there are instances where an organization that is rated at the highest level, Level 1 interacts with organizations at another level, Levels 2-4.  Those lower levels have self-assessment elements that were completed in order to achieve their respective compliance level.  Typically that’s a yearly self-assessment and if anything was done incorrectly, or interpreted a certain way, that is a problem and it affects the Level 1 organization.

The future of PCI is an opportunity

The future of PCI means a continued evolution towards a more perfect standard. Eddie Mize, a leading enterprise security consultant adds that the actual industry exhibits a number of different angles. Anecdotally, yet increasing in frequency, many organizations lean on compliance standards as their primary or even only security practice. You see sometimes, deep in the executive decision process, compliance may be the only thing that gets attention even if there are massive security issues because it’s something certain organizations have to do. That’s an opportunity Mize says to build on the best aspects of industry regulations to create a base that is as thorough as possible, including everything that is mobile.  This certainly makes a lot of sense in that if business is coerced to adopt elevated security protocols as the minimum, the entire industry benefits without having to have specific successful business security decisions.  The new regulations take effect Jan 1st, but there is a one year window for organizations to come up to speed until January 2015.

photo credit: wecand via photopin cc