PCI wants compliance to be customizable in 2021
In a major break from the Payment Card Industry security standards playbook, merchants and service providers using newer technologies would have the opportunity to rewrite network operation and testing procedures when achieving compliance.
The upcoming PCI-DSS 4.0 standard, expected in mid-2021, will include the new concept of a "customized approach" to compliance by providing organizations more flexibility to explain their network security methods and how they comply with PCI standards.
"The challenge for us is that people hear about more flexibility and they think it is easier, or that they don't have to do compliance assessments anymore, and that is not the intent," said Troy Leach, senior vice president and engagement officer for the PCI Security Standards Council.
Rather, a customized approach allows organizations that have modern security methods to document and essentially rewrite how these systems can be tested to ensure that they meet the PCI standards, Leach said.
The creation of a customized approach was the most discussed topic at recent PCI community meetings with merchants, security vendors and payments networks, Leach added.
"This is being embraced by large companies investing significantly in modernizing their security technology, and they welcome this opportunity," he said.
For the past decade or more, PCI used a "defined approach" in applying the standards and the compliance assessment process. This approach established a security risk, explained the threat it was trying to mitigate, established a control to be in place and mandated how testing would work.
"That is the traditional way of most security networks," Leach noted. "But now, if you have a very mature risk model and are introducing new types of security that address it differently, we provide the way for you to better document that."
It's a fundamental change in how PCI and its qualified security assessors will approach signing off on compliance, and it has positive and negative aspects, said Joseph Krull, senior cybersecurity analyst at Aite Group.
"It gives a merchant flexibility to implement the standard in such a way that they are meeting the spirit of the standard if, for instance, they are using a different kind of antivirus solution to protect an endpoint, they can simply show how it protects against malware," said Krull, who worked for Accenture in PCI consulting before joining Aite Group.
With more complex things like cloud computing or microprocessor services, it gives the merchants the ability to document how a standard can apply to the various aspects of those networks, Krull added. "That is very promising, and we've never had that before."
However, there could be instances in which a QSA would come in to test the systems and "they are supposed to understand your environment and organization on day one, with the prep work being done before arrival," Krull said.
That likely won't be an easy process, Krull added. With a customized approach introducing viewpoints on newer security methods, it could create "a slippery slope" for some assessors not familiar with the networks, he said.
Another danger for PCI compliance, Krull speculated, is that a growing number of businesses are struggling to comply with the General Data Protection Regulation throughout Europe, and a similar privacy standard in California, the first in the U.S.
"I think PCI is going to be overshadowed by these other compliance standards that come with hefty fines," Krull said. "That is the real stick here, not PCI."
This year, however, compliance advisor U.K.-based PCI Pal reported that GDPR and the California privacy act for data protection were actually sparking an increase in interest for PCI compliance assessments and help with the process. The theory, for now, is that the work that needs to be done to be compliant with GDPR smooths out the process for complying with PCI.
The PCI council has also developed a new Software Security Framework, representing an upgrade from the payment application data security standard (PA-DSS), which has been in place since 2004 and ends in late October of 2022.
The upgrade addresses the fact that coding practices have shifted from simple designs years ago for the limited function of accepting an account number and moving a payment forward, to the current complexities of cloud architecture and e-commerce. That shift now sees the average homepage of a merchant or business receiving source code from 50 to 60 different locations and software providers, PCI's Leach said.
"It actually created a rise in online digital skimming, and it's something we've been very vocal about the past few years because it is one of the largest areas of compromise," Leach added.
Fraudsters take advantage of a diverse distributed software environment by attacking one of the suppliers or developers, potentially one not aware of their PCI responsibilities. Malware is injected into the application and merchants are never aware because, in their mind, the final web page is formed.
"We had to create broader awareness and education for third-party developers with the new Software Security Framework, and we had to have a new approach to demonstrate that third parties' products had a secure lifecycle to both the development and ongoing management of their software in the marketplace," Leach said.
It marks an evolution for PCI in recognizing how software can change daily and still comply, while also expanding the standard for different types of software and cloud or web applications.
"It's long overdue, because the PA-DSS was ancient," Aite's Krull said. "We haven't seen a good delineation between the web apps and POS terminals, and those things have been hacked by every hacker in the world."
Moving forward, standards for APIs will be vital to payments security because attackers seek those connections in a network and try to intercept any data or communications at those points, Krull added.
Lockdown learning curve
PCI plans to release the PCI-DSS 4.0 standard in the middle of 2021, with all of the supporting documents, self-assessment procedures, network reporting documents and training manuals following so that everything is in place by the end of 2021.
PCI-DSS 3.2.1 will remain available to use into the middle of 2023 for a two-year transition period before it is retired. Any new requirements in standards would be introduced to 4.0 during that time frame, establishing it as the recognized standard by the first quarter of 2024.
For the PCI Council and its assessors, the COVID-19 pandemic has made it harder to accommodate on-site assessments. This task can be performed remotely, but there's a learning curve.
"We are getting inquiries from assessors who have never been trained about remote assessment," Leach said. "We never had this experience before, as most have been trained to be on-site, and there are procedures that are expected to be done in person to show that a security control actually works."
The council is studying best practices and moving forward with training and establishing processes for QSAs.
"We can't violate security requirements just to do an assessment, like opening up a network firewall or having some of the process take place through video cameras," Leach noted. "We don't want to do that to expose the network and erode existing security."