Critiquing the New Version of PCI-DSSExperts Weigh in on Strengths, Weaknesses
Security experts say they're pleased with many of the changes and additions in this year's update to the Payment Card Industry's Data Security Standard and the Application Data Security Standard. But they also note some glaring omissions and express concern that neither standard has much enforcement action behind it.
What they like about version 3.0 of the two standards, the first update since 2010, is the greater emphasis on third-party and payments processing risks and more stringent security requirements for payment application developers. What they don't like, however, is the update's lack of security requirements for mobile payments and specific strategies for governance of ongoing risk assessments and compliance enforcement.
The new version of the two standards were issued Nov. 7, but they don't take effect until January and they won't be enforced until 2015 (see PCI Update: Focus on Third-Party Risks).
Missing the Mobile Mark
Many merchants, banking institutions and businesses that are keeping an eye on PCI compliance still have big security gaps the updates don't address, especially in the area of mobile payments, says Greg Rosenberg, a security engineer for Trustwave, an information security and compliance firm.
"Mobile is a unique platform, and it is extremely difficult to achieve PCI compliance on mobile," he says. "To their credit, the council did issue best practices; but even if you follow those best practices to a T, you will never be PCI compliant on mobile. A lot of people are just scratching their heads about what they should do to secure mobile."
Troy Leach, chief technology officer of the PCI Security Standards Council, says the council chose not to issue specific requirements for mobile because consumer mobile devices are inherently unsecure.
"We don't want to do something special for mobile which would lower the standard," Leach says. "So we have created best practices. ... But most of mobile falls outside the council's focus area."
But Rosenberg says the council should have at least addressed what should not be done, when it comes to mobile.
"There are point-to-point encryption solutions that could significantly reduce the risk profile of a lot of merchants, and this is the kind of information that should have been included," he adds.
Rosenberg also says the standards update should have included more specifics about how merchants and others can better address PCI compliance from a risk perspective. Even if businesses attain PCI compliance on paper, they still could have a number of security gaps, because they are not addressing their systems and platforms based on risk, he adds.
Lack of Understanding
Many organizations and businesses affected by PCI don't even understand what the PCI-DSS and PA-DSS aim to accomplish, says Denise Mainquist, founder of independent security and compliance firm ITPAC Consulting LLC. As a result, they're not compliant.
"Version 3.0 is good, and the council needs to keep moving forward and refining it," Mainquist says. "My concern right now is that there are so many companies out there right now that don't know what version 2 is, so I'm not sure version 3.0 will make much of a difference."
The primary problem with PCI's approach to security is that it is not risk-based, she adds.
"PCI makes you do things that don't make sense," Mainquist says. For instance, a merchant that does not rely on remote-access software for maintenance of its point-of-sale equipment still has to comply with requirements outlined for remote-access control.
"It's not about addressing a specific risk in your environment; it's more prescriptive," she says. "You either do it or you don't, and that is difficult for organizations to understand."
As a result, many organizations, especially those in the healthcare sector, have largely ignored PCI-DSS - or are unaware of it, Mainquist says (see PCI DSS Compliance Tips).
"I would say, most definitely, healthcare is not even aware of PCI," says Brian Evans, a healthcare security and regulatory consultant. "They are way behind other industries when it comes to PCI. And they don't have a good answer as to why they don't pursue PCI. But the problem is that there is no enforcement. The sanctions aspect is the real concern."
While version 3.0 includes some best practices about making payment card security part of an organization's everyday business, it does not sufficiently address fines and penalties for non-compliance, Evans says.
"What the standard needs to include is consistency for fines and penalties," he says. "[When it comes to] oversight and governance, I think the council has looked the other way. And I don't know of any organization that is aware of what that compliance risk might be. We need to calculate and analyze that."
Merchants, banking institutions, businesses and other entities required to comply with PCI security standards won't be expected to fully adhere to the updated standards until January 2015. But this so-called enforcement date is meaningless, Evans says, because there is no one organization that is mandating and enforcing PCI compliance. Instead, fines for violations are are imposed either by the card brands, such as Visa, MasterCard and American Express, or acquiring banking institutions.
"That's where I'm looking to the PCI Council for leadership," he says.
Evans would like to see the PCI Council publicize entities sanctioned for PCI-DSS violations, much like federal officials issue announcements when healthcare organizations that violate the federal HIPAA privacy and security regulations are fined. And he says the penalties for non-compliance need to be stiffer.
"If you go on the PCI website, the council itself says any fines or penalties are defined by the card brands," Evans says. "So the relationship tie is traditionally with the acquiring banks, and some of the fines they impose are only like $20 per month, never more than $100 per month. So it's cheaper for merchants to just pay the fine."
Minding the Gaps
Mainquist says that until businesses and organizations are held accountable for card data compromises that result from non-compliance, PCI will remain a toothless standard. Many small merchants and healthcare providers may not even be aware an update to the PCI-DSS and PA-DSS has been issued, she adds.
"Without having some way to make people accountable, it will never be that effective," Mainquist says. "There has to be enforcement."
Like Evans, Mainquist says the compliance strategy for PCI is flawed. Merchants that have concerns about PCI, because they don't understand it, often turn to their acquiring banks for answers, she says.
"But the banks don't help educate merchants about PCI security," Mainquist says. "If small merchants are answering the questions through self-assessments and they call their acquiring banks for help, the banks just tell them how to respond so that they can pass the assessment. That's a little scary. It's not about security or understanding the standard."
Processors should play a bigger role, Mainquist adds. "Education seems like it should fall on the processors; they should enforce compliance and ensure everyone gets the education they need."