PCI's new security ethos: Stay ahead of threats, don't just react
The race against high-tech fraudsters has always motivated the Payment Card Industry Security Standards Council, but for too long the council's process for establishing new standards wasn't looking ahead to the next threat.
The council knew it had to change its approach. It could not focus on instant knee-jerk rulings, but must have a better handle on how to keep pace with fraud without hurting the payments industry's own innovations.
The council believes it has accomplished this change, particularly with how it approached two standards — the secure software standard and the secure software development lifecycle — which it established earlier this year with speed and flexibility in mind. They are at the core of the council's Software Security Framework.
Two more standards coming this year address the most quickly advancing technologies in establishing updated standards for use of contactless payments technology and end-to-end encryption.
"The new standards are more flexible (to changing technology) with high security controls," said Troy Leach, chief technology officer for the PCI Security Standards Council.
More importantly, the council has been able to demonstrate to all key payments industry players how the standards protect data. Because of this, the level of interest and excitement at PCI's annual community meeting last week in Vancouver was as high as it has ever been for the introduction of new security measures, Leach said.
"We know payments and trends in security, but having all of these experts in one location seems to have created a very good positive vibe this year," Leach added. "We are starting to see all of the work they have been putting together coming to fruition."
The value of the security standards released this year has been apparent in the wake of the Magecart criminal group's attacks on application developers.
"They are going in and compromising these app developers and putting malware into their code, as these e-commerce sites have an average of more than 15, but sometimes up to 50 third-party app developers creating code," Leach said. "Every time a consumer goes to that web page, a code is being sent along for things like advertising, live chat bots and other features."
Most of the major data breaches of the past two years have occurred through e-commerce, stemming from the Magecart type of attack, Leach said.
"The malware is being pushed down to the consumer site or laptop or mobile device, and the merchant would not know because they are still getting their payment," he said. "It's just the information is being captured and stolen by the fraudster in that process."
The standard focusing on development lifecycle calls for security and full evaluation of software in every step of the process. During that process, developers show they have an awareness to design and release code safely, taking part in a conscious effort to do proper testing before software goes into production.
Another aspect PCI introduced calls for software that can police itself to be added to the mix. Essentially, it would be software that knows when someone or something is trying to infect it.
Inclusion of Runtime Application Self-Protection, or RASP, is designed to "create code within itself," Leach said. "It is smart and dynamic and executable software that can be more reactive as a new risk is introduced."
That sort of development, as much as anything else, is helping PCI issue requirements that offer more dynamic controls to give banks, processors and merchants a sense of confidence that the standards are more flexible and agile as the industry enters its next generation of payment software.
"The software development cycle is a point of vulnerability, so rewarding those that embed security in that process is valuable," said Julie Conroy, research director and fraud expert with Boston-based Aite Group.
But there is a potential downside if the pursuit of faster and safer software actually results in the opposite.
"The devil will be in the details, as is always the case with pretty much everything in payments," Conroy said. "While it's certainly a best practice, adding compliance to this equation could further bog down what is already a painfully slow development and deployment process in many firms."
The update to the contactless standard is much needed at this time, Conroy added. "We see a global movement to contactless, which the U.S. is finally joining in a meaningful way, and a variety of different form factors are available to capture these transactions," she said.
The new contactless security standard is expected for publication by the end of the year, and to be in place by 2020. It will address requirements for merchants accepting "tap and go" payments from commercial, off-the-shelf devices.