The Future of PCI
Community Meeting Focuses on Collaboration, New ThreatsPoint-of-sale breaches are a huge worry for merchants, and for good reason. The exfiltration of card data from U.S. POS systems has become a frequent occurrence, and retailers are feeling increased pressure to shore up their network defenses and enhance their malware detection (see Senators Probes 2 Recent Breaches).
See Also: Insider Insights for the PCI DSS 4.0 Transition
But merchants must guard against focusing too much attention on short-term threats and, instead, work toward long-term planning that includes strategies and technologies that can address future, and sometime unforeseen, threats.
That was the over-arching message at the North American PCI Community Meeting in Orlando, Fla., where incoming PCI Security Standards Council General Manager Stephen Orfei stressed the need for more global compliance and a focus on merchant security.
"We really need to have a risk-based dialogue versus a compliance-based approach," Orfei says during an interview with Information Security Media Group during the event Sept. 10. "My message to the marketplace right now is we are here to collaborate and truly be a merchant organization."
While Orfei envisions the council evolving into an organization that more strongly focuses on prescriptive guidance for malware mitigation, compliance with data security standards and ongoing security training, he warns that merchants and the payments industry have to be committed to long-range security planning.
Attacks against in-person point-of-sale transactions are a worry today. But tomorrow's attacks will likely be aimed more at e-commerce and mobile payments, Orfei stresses. That's why the industry has to start thinking ahead, he says.
The Compliance Challenge
Troy Leach, the council's chief technology officer notes that ongoing compliance with the PCI Data Security Standard has proved challenging for small and large merchants alike, because of the way they view security.
"Most organizations today are not measuring their PCI in scope," Leach said during a presentation about 12 critical requirements contained with the PCI-DSS that all merchants should be measuring. "Metrics determine the effectiveness of controls."
When it comes to ensuring ongoing PCI compliance, it's critical that organizations regularly track the effectiveness of the controls and technologies they put in place, Leach says. Without metrics, it's impossible for any business to evaluate the ongoing success a specific control or technology, he adds.
Over time, the effectiveness of controls decreases, Leach says. As businesses upgrade systems or modify networks, the controls they have in place must adjust accordingly. And all of those changes and modifications have to be measured, Leach says.
The Merchant's Role
That need for ongoing assessment and measurement is one most merchants fail to appreciate, says qualified security assessor Jacob Ansari.
"The very old, very basic kind of security flaws still remain - weak passwords, insecure remote access, lack of security patches, things like that that in some cases have been almost deliberately set up to make it easy for that reseller or that POS support person to do the maintenance," Ansari says. That's especially true of smaller merchants, he adds.
Jacob Ansari, a QSA for Sikich, on the unique PCI compliance challenges big-box retailers face.
But larger merchants face unique challenges, too. They all face struggles with maintaining PCI compliance, Ansari says.
"Some of these retailers are getting compromised faster than we can detect the attacks," Ansari explains. "Ongoing PCI is a challenge. It's very, very complicated and has many situation-specific qualities to it. ... We have to work with these organizations and make them realize the risks and then help them find solutions that work."
Ansari echoes an all-too-true phenomenon that's too often heard in the industry: Once an organization achieves compliance, it fails to assess that compliance regularly.
"They sort of get to the top of the mountain, breathe a sigh of relief, and we, as the assessor, go away," he says. "We come back six or eight months later and we see that they have let a lot of their controls lapse. So we have to start over. Compliance is difficult; it's challenging; it's time-consuming; but it's necessary. You are supposed to be monitoring your systems every day. That's a culture shift that's going to take some doing to see all the way through."
Malware and Hackers
Emerging and evolving malware strains, such as Gameover Zeus and BlackPOS, are not limited to the U.S. Neither are the attackers who create these viruses and spread them. Cybercrime is a global business.
In the payments space, cyber-intelligence sharing has been lacking, Orfei says.
Today, more than 60 countries are members of the PCI community. But the global nature of today's attacks is necessitating the need for the PCI Council to expand.
During his keynote address, Admiral James Stavridis, former NATO Supreme Allied Commander Europe and Commander of the U.S. European Command, said the lack of an international coalition specifically focused on cybersecurity has put numerous industries, including financial services and payments, at risk.
"In cyber, we have a disconnect between vulnerabilities and threats and the preparation we have in place to defend ourselves," Stavridis said. "We need to use the collective power of alliances to fight back. ... Is there a global role for higher levels of standardization?"
That is where the PCI Council should play a more prominent role, he says. It's also point stressed by Rob Sadowski, directory of technology solutions for security firm RSA and a member of the PCI board of advisers.
Rob Sadowski, director of technology solutions for RSA and a member of the PCI board of advisers, explains why the PCI Council is in a unique position to help bridge information sharing between the private sector and government.
"There could be a role for the council to work with the government," Sadowski says. "When we had a number of breaches at the end of last year, the PCI Council was asked to testify before Congress. So you're already seeing that there is a strong public and industry council partnership present.
"But it would be great to see more information sharing between law enforcement with the industry and the community, and I think we've seen some progress on that front," he adds. "More information sharing about the threat actors and the malware - that is where we could afford to see more collaboration."