Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

PCI DSS 3.0 is an evolution, not a revolution

Taylor Armerding | Jan. 17, 2014
The primary goal of the Payment Card Industry Data Security Standard (PCI DSS) is to protect the confidential user information on credit cards.

"Specifically, we don't know whether they had anti-virus on the PoS devices and we don't know, but doubt, that the attackers needed physical access."

Camejo said the only provision of the updated standard that might have been helpful is Requirement 6.5, which calls for application developers to consider how card data is handled in memory.

"This isn't so much something that Target could have done — it would have to be done by the PoS vendor," he said. "Although Target seems to be getting most of the flak, I would be more apt to blame the PoS vendor for developing a platform that doesn't handle the cardholder data securely in memory and doesn't have enough internal checks to prevent tampering."

In other words, PCI DSS 3.0 will not make the industry bullet proof. But there is general agreement among experts that compliance with it will improve security to the industry, even though it is more an "evolution" than "revolution."

Indeed, of the 98 items listed in a summary of PCI DSS 3.0, 74 of them are described as "clarification," while only 19 are "evolving requirements" and five are "additional guidance."

One of the most significant elements of the standard, however, is the theme of making compliance a daily event, or business as usual (BAU), instead of an annual "check-the-box" scramble to comply with an audit.

"The PCI SSC (Security Standards Council) wants to encourage organizations to move into a proactive state, where they have better control over their in-scope assets," said Christopher Strand, compliance consultant at Bit9.

"Compliance in the past had a tendency to be reactive since it was normally done in order to meet the annual or point-in-time obligation or review. Now, the only way to remain compliant under the new version of the standard is to ensure your security stack can give you full visibility of the environment, with the ability to proactively audit the endpoints and network in real time for deviations."

"The guidelines won't be everything to everyone," said Alphonse Pascual, senior analyst at Javelin Strategy & Research. "There is no perfect security, and when it comes to bureaucracy you take what you can get."

Chuvakin added that the update includes, "plenty of new focus not just on policies and not just on buying tools, but on developing actual operational processes and practices, to make it truly BAU."

This, said Conroy, should not require a major spike in spending, or raise the costs of a company's products and services. "The elements of PCI 3.0 that are designed to make compliance more of an every-day business practice are largely procedural — many do not require big IT investments," she said, adding that the CISO of a large health insurer told her the updated standard would be, "pretty much a non-event for his organization, because it was already doing most of what was required."


Previous Page  1  2  3  4  Next Page 

Sign up for Computerworld eNewsletters.