Since the initial release of PCI-DSS, networks, data centers and threats to cardholder data have continued to evolve, driving further refinement of the standard. While the initial PCI-DSS created a framework for its members to follow, it has evolved to address what we’ve learned from PCI implementations and gaps, as well as technological advances.
Now with the release of PCI 3.0 in effect starting January 1, 2014, organizations have a framework for payment security as part of their business-as-usual activities by introducing more flexibility, and an increased focus on education, awareness and security as a shared responsibility. This is an important change because PCI-DSS 3.0 focuses on security (as opposed to compliance) and how to make security part of your business processes. Here are three main concepts that PCI-DSS 3.0 attempts to address:
PCI DSS 3.0
1. Improving security education
The latest release of the PCI standard attempts to fix the lack of awareness around payment security and finds a better way of educating organizations on the goal of the requirements and how to properly implement and maintain controls throughout the network.
More organizations need to be made aware and educated of how their employees are involved in the payment chain; thus ensuring security standards are effectively implemented and followed. It’s not just about the security team putting controls in place, but also educating users where security is not top of mind. You’re only as good as your weakest link and employees all too often leave openings for attackers, whether by choosing poor passwords, clicking on malicious links, sharing sensitive information via social media, etc. It’s not just about having more layers of security, but also ensuring that employees involved in the payment chain understand the risks and what to do vs. what not to do.
It also addresses issues from poor implementation of the standards. Not knowing and understanding what is in your network can be detrimental to your customers’ payment information and also to your organization – do you know how data and traffic is flowing through your firewalls and routers?
An important update in PCI-DSS is the recognition that each corporate network and data center is unique and what may work to secure one environment may not be as effective in another. Some environments are all on premise while others are in the cloud (private, public or hybrid) or a hybrid of on and off-premise. There is no one size fits all in this evolving landscape. This is key because while PCI members, merchants, and service providers must have proper controls in place to protect cardholder data, they should have some flexibility to implement these controls in a way that makes sense for their business.
3. Shared Responsibility
Security is no longer a one-team mentality, but rather a shared responsibility of many different roles. Shared responsibility means all the different people and teams within the organization as well as outside providers have accountability for the network’s overall security. This can be internal stakeholders such as application owners, database admins, network operations, security engineers, firewall administrators, etc. as well as outsourced third-parties that play a role in processing and storing cardholder data.
While outsourcing is a common practice and with more cloud deployments on the horizon, keep in mind that according to the PCI Council, 63 percent of investigations identifying a security gap exploited by attackers revealed a third party was responsible for system support, development or maintenance. Whether your cloud is a hosted solution, virtual, SaaS, IaaS, PaaS, your provider should also share responsibility when it comes to the security of your networks, data centers and ultimately card holder data.
All of the changes in PCI-DSS 3.0 are designed to address how networks and data centers have evolved and to not only improve security controls, but to build them into the fabric of your business. Ultimately, you must know what’s in your network and how data is flowing through your network, and ensure all of your key stakeholders are aligned to work together to ensure PCI compliance as well as a more secure and agile operation. Keep up the education and awareness, manage risk with the business in mind and you will be on well on your way.
By Nimmy Reichenberg