Next year's updates to the Payment Card Industry data security standards will give compliant retailers better protection, but hackers will be targeting the weaknesses of companies that don't put in extra effort.
Too many businesses make the mistake of equating PCI compliance to "being secure," said Joe Sturonas, chief technology officer with data security provider PKWare. "That was never the intent of the PCI Security Standards Council," the organization that maintains the standards, he said.
While PCI establishes a solid roadmap for merchants to follow, it provides that same map to criminals, Sturonas said.
"If you are going to attack a company known to be PCI compliant, there are a number of attack vectors you are going to avoid," he said. "Then there are all of these other 'fair game' vectors that go beyond compliance that you can focus on."
Milwaukee-based PKWare provides data encryption services, which are designed to render data unreadable to hackers.
Data security practitioners "clearly understand that PCI is just the minimum bar," but there is widespread misconception about PCI data security, said Julie Conroy, senior analyst and fraud expert with Boston-based Aite Group.
Merchants often complain that PCI doesn't work, highlighting examples such as Target, the mega-retailer that passed its quarterly PCI assessment just a few months prior to its 2013 data breach, Conroy said.
"PCI has a PR problem," she said. "Too few people understand that it's a minimum standard and is no panacea."
PCI compliance has essentially developed three "camps" of merchants, said Al Pascual, senior analyst for Javelin Strategy & Research.
Those who already go beyond the minimum effort needed to stay in compliance generally appreciate the extra guidance coming through the 3.0 upgrade, Pascual said.
The new guidance will mostly help those who use PCI compliance as "what they shoot for and the standard they follow" but rarely go much beyond that, Pascual added. "For them, these are timely upgrades and extra steps."
Smaller merchants who "skirt the issue" and don't care about PCI as much because they don't handle as much data or experience any serious breach threats will likely view PCI 3.0 as too daunting and too expensive.
"No matter what you do with standards moving forward, it is not going to matter to that merchant segment," Pascual said. "Unless you make it ultra simple and super cheap, these folks are not going to implement correctly."
Stephen Orfei, the new general manager of the PCI Council, has emphasized that the council will work with acquirers in the future to provide "PCI in a box" as a way to make compliance easier while stressing risk assessment at the same time.
PCI DSS 3.0 expands the definition of scope and calls for deeper penetration testing of systems to validate firewalls and other aspects of a network.
The new guidelines also put heavier emphasis on validating the credentials and work of third-party providers. Starting in July, PCI will require inspections of devices commonly targeted for tampering, such as gas station pumps, ATMs and PIN pads.
The 3.0 standard also requires merchants and service providers to formally document who is responsible for which PCI requirements and what those requirements entail. This requirement is meant to address companies trying to shift the blame after a data breach.
Companies must also be mindful of insider threats, PKWare's Sturonas said. "The reality is at a large company you can do a good job of keeping the bad guys out, but you have 1,400 administrators that have access to all of the data," he added. "It's not necessarily that they would be malicious, but there are accidents, and you can't trust everyone to do the right things all of the time."
No matter how merchants approach PCI DSS 3.0 next year, the math behind data breaches won't change. "Security has to be right 100 percent of the time, the bad guys just have to get it right once," Sturonas said.