Governance & Risk Management , GRC
Virtualization Next for PCI Standard?Among the Emerging Technologies Discussed for 2010 Update
This was the prediction of some industry leaders meeting at the Payment Card Industry's Security Standards Council community meeting in Las Vegas last week.
PCI typically is updated on a 24-month cycle, with this year being the "off year" for review and feedback. Previous review cycles have led to minor tweaks - i.e. changes to wireless standards. "In the past we've seen standards change based on compromise trends," says Branden Williams, director of the PCI practice for VeriSign.
Among the current compromise trends: Virtualized solutions. "Because virtualization is an emerging technology, we're beginning to see emerging threats, says Troy Leach, Chief Technology Officer for the PCI Security Standards Council, the group charged with oversight of PCI. "In virtualization there are virtual firewalls and antivirus, and the threats are beginning to attack those layers," Leach says.
One hurdle that virtualization faces before being added to the PCI standard: The lack of a clear definition of what virtualization is and what it encompasses. "We need to have a better nomenclature and a better understanding of where in the standards virtualization is found," Leach says. "And if it isn't, then the council will address how we address this new technology."
In reviewing potential new solutions, Leach says the dual goals are to improve security and to simplify matters for the merchant. "If we can reduce the footprint of cardholder data [held by] the merchant and shift the responsibility to service providers with IT staff who know how to protect data and systems, then the payment process for the merchant becomes much easier," Leach says. "If we can simplify the process for a merchant, I think we'll make great strides."
Feedback is Critical
The Chairman of the PCI Security Standards Council says the feedback the council gets on these technologies is crucial. "After the feedback, there may be some clarifications made," says Lib De Veyra, vice president of emerging technologies at JCB International, one of the major card brands.
De Veyra says one of the reasons the council takes so much time to deal with these issues is the evolution of technology. "As it moves, you have to adapt the technology accordingly, because the vulnerabilities evolve as well," he notes.
The group charged with the responsibility of taking all the feedback from participating organizations and analyzing them into strategic action is the Technical Working Group, made up of PCI community members representing all areas. Added to the feedback is the newly-delivered report requested by the council from PriceWaterhouseCoopers on the use of emerging technologies.
"It's going to take the TWG some time to digest all of the PriceWaterhouseCoopers report," says PCI-SSC's general manager Bob Russo. The four emerging technologies named as top mentions are end-to-end encryption, tokenization, virtual terminals and magnetic stripe imaging -- none of which is mentioned in the current standards.
Because there are so many emerging technologies, Gary Palgon, of nuBridges, a PCI security vendor, says it's hard for industry leaders to keep PCI current. "For everything that comes out, and as fast as we move, [PCI] is somewhat of a laggard," Palgon says.
One of the interesting things Palgon sees now is that companies across industry are beginning to look at PCI more strategically, applying the same protection measures that they use on card data to the rest of the sensitive personal data they hold. He predicts that, because of all the different emerging technologies and uses, "There will be a hybrid of different [standards] that protect the different types of data, card data, personal identifiable information and personal health information."
Matt Davis, Audit and Compliance principal practice lead at SecureState, a Cleveland, OH-based risk management assessment firm says, "Many of us will be anxiously awaiting output from the current special interest groups" to see what new guidelines emerge in 2010. "I expect there will be quite a few more on emerging technologies," Davis says.