By Jim Daly
The coming update to the Payment Card Industry data-security standard (PCI) will include new guidelines about physically protecting credit and debit card terminals, when third-party vendors share security responsibilities with merchants, protecting card data in a computer system’s short-term memory, and strengthening passwords, among others.
The PCI Security Standards Council today issued a document outlining proposed changes in the pending Version 3.0 from the current Version 2.0 of the main PCI rule book and its closely related Payment Application data-security standard (PA-DSS) that governs card-processing software. Version 2.0 took effect in late 2010, and the update set for November is the first since the PCI Council switched from a two-year to a three-year revision schedule. The Wakefield, Mass.-based PCI Council administers the standards although card networks, through merchant acquirers, enforce them.
PCI Council General Manager Robert Russo says plenty of changes are planned, but he promises the rules will be “easier to understand.” Version 2.0 has 12 main requirements, which will continue, and about 225 specific do’s and don’ts. The big goal, he says, is to get card-accepting merchants to start thinking about data security in broader terms than simply trying to pass their annual PCI audit.
“The major theme is making PCI part of your ‘business as usual,’” Russo tells Digital Transactions News. “We’re finding over and over and over again the check-box mentality.”
As many merchants and even some payment processors have found out, passing the audit is no guarantee that hackers won’t break into their Internet-connected computer systems a month or two later and steal card numbers, expiration dates, and related data that can be re-sold to card counterfeiters. There never will be such a guarantee, but PCI Council executives say constant vigilance rather than forgetting about security until the next audit can reduce the incidence of breaches.
“We’d like the PCI guidance to be seen as a compass, not as a roadmap,” says Troy Leach, chief technology officer. “If they [merchants] think it’s a roadmap, they think there’s an endpoint.”
The planned changes derive from comments the council received from about 700 so-called participating organizations—processors, merchants, technology vendors, and others with a stake in PCI—and 250 or more assessors who do PCI audits. Highlights include:
• More guidance about physically protecting point-of-sale terminals and related hardware. The placement of skimmers and malware on terminals is a big cause of data thefts. “We wanted to educate employees that are around those POS terminals, so they can detect if there is tampering,” says Leach. The revisions will include guidance from a 2009 document the PCI Council produced about skimming prevention.
• New language about when a third-party vendor whose equipment or software is linked to a merchant’s payment system is responsible for protecting card data. “There already was language, but we’ve beefed it up,” says Leach, who notes that one study found third parties have some involvement in a large majority of data breaches. Many vendors, for example, can go into a merchant’s computer system at will for their own benign purposes, but hackers sometimes find those electronic pathways and use them to steal sensitive data.
• Revisions covering so-called penetration testing and validation segmentation. These topics address when data are or are not “in scope,” or subject to the PCI rules. “What we were seeing in these breaches, especially large processor breaches … is the potential that the scope was not properly established to begin with,” says Leach. One example is some merchants’ use of card data for loyalty programs, which marketing staff may think is okay but they don’t inform their cohorts in the IT department and fail to protect the data properly. “The merchant thinks they’re doing the right thing … but they haven’t cast the net wide enough,” Leach says.
• Guidance about card data in a computer’s “volatile,” or temporary, memory. Many merchants focus more on protecting permanent memory areas in their systems and less on volatile memory even though transaction processing by nature will expose card data for a very short period. “As we secure the easier areas, criminals will always go to the lowest hanging fruit,” says Leach.
Russo says the planned changes, which also include more guidance about strengthening weak passwords, are subject to further revisions. The council will publish the final documents Nov. 7. Meanwhile, the council’s three annual “community meetings” in North America, Europe, and Asia are coming up. The North American meeting is set for Sept. 24-26 in Las Vegas.
Highlights of proposed changes for Version 3.0 can be found here. The council plans to hold webinars later this month and in September to discuss them.