Security Experts:

Are Organizations Ready for PCI DSS 3.0?

Businesses that handle payment card data have to become compliant with the Payment Card Industry Data Security Standard 3.0 (PCI DSS 3.0) by December 31, 2014, yet many appear to be unprepared for the challenge.

According to a recent study conducted by NTT Com Security, only 30% of organizations have created a plan for compliance after reviewing requirements, with 70% of those surveyed being unaware of the December 31 deadline. Additionally, 41% of the respondents said they have heard of PCI DSS 3.0, but haven’t laid out a plan for compliance.

Are Organizations Prepared?

Representatives from the PCI Security Standards Council told SecurityWeek that the changes introduced in PCI DSS 3.0 were made based on the feedback from the PCI community and focused on increasing awareness and education, flexibility and security as a shared responsibility.

“The reception to these updates have been received positively and we look forward to our upcoming Community Meetings in Orlando, Berlin and Sydney where we can hear directly from our constituents on their questions and feedback on implementing the standards over this past year,” said Bob Russo, general manager at the PCI Security Standards Council.

According to Scott Harrell, vice president of product management at the Cisco Security Business Group, many companies understand the new standard and have started purchasing the technology needed to enable compliance, and they’re adding people to the organizational structure to specifically address this issue.

“However, they are having trouble with the operational aspect of it. Verizon Business released their 2014 PCI report stating that only 10 percent of the companies are passing their baseline assessment. This shows that despite the efforts of becoming compliant, most are not able to stay within compliance over the course of the year to their next assessment,” Harrell told SecurityWeek.

On the other hand, Citrix Systems has found that organizations are “overwhelmingly ready for PCI DSS 3.0.”

“[The] deluge of widespread credit card breaches has touched everyone from large enterprises to small business and the individual - making the impact personal.  In addition, the DSS has had minimal changes from previous versions, illustrating the maturity of the PCI standard for protecting cardholder data and simplifying the process of keeping up with compliance,” explained Kurt Roemer, chief security strategist at Citrix.

Irene Abezgauz, VP of product management at Quotium, says most of the organizations they are dealing with are still in the process of educating themselves on the differences between PCI DSS 2.0 and PCI DSS 3.0, and analyzing how they can translate these differences into actionable items.

Torsten George, vice president of Worldwide Marketing and Products at security risk management firm Agiliance, also makes an interesting point.

“The urgency to meet the ‘virtual deadline’ is not that high either, since there is no oversight agency mandating and enforcing PCI compliance. Instead, fines for violations are imposed either by the card brands (e.g., Visa, MasterCard, and American Express) or acquiring banking institutions – often when shortcomings are detected during a data breach,” George explained.

While Agiliance has not seen a major transition from PCI DSS 2.0 to 3.0 yet, George highlights the fact that adoption also varies depending on the size of the organization.

“Small and mid-sized organizations are slower to adopt the new standard, while larger organizations have started adding some of the new controls and guidance to their business processes. In light of the increased number of third-party originated data breaches, the new requirements for penetration testing, application development lifecycle security, and threat modeling are being implemented at larger firms,” George told SecurityWeek.

“Ultimately, PCI 3.0 is designed to push organizations to embed best practices in their day-to-day operations. Unfortunately, most companies still use a check-box mentality as part of a compliance-driven approach to security. We have not seen any indication that PCI DSS 3.0 will bring about a major shift to a risk-based approach,” he added.

Challenges in Becoming PCI DSS 3.0 Compliant

Russo explains that one of the key challenges is the focus on compliance over security.

“Compliance does not equal security. There’s too much focus on cramming for the test and not on being a good student year round. We have to change the conversation in the boardroom and all the way down and across our businesses. Security has to be a daily priority, built into business practices, not a one-time effort,” the Russo noted.

Roemer believes that the greatest challenges are recognizing that the era of "checkbox compliance" is over, and understanding that the requirements specified in the PCI DSS represent a baseline of security measures.

According to George, PCI DSS 3.0 inherently implies that if all organizations followed the concept of continuous compliance and continuous diagnostics, breaches could be avoided.

“I am not sure that this would be the case, as there is no such thing as 100% prevention. However, continuous compliance and continuous monitoring are essential for reducing the risk of a breach. Continuous compliance includes the reconciliation of assets and automation of data classification, alignment of technical controls, automation of compliance testing, deployment of assessment surveys, and automation of data consolidation,” George said.

“Applying continuous (security) monitoring, implies an increased frequency of data assessments (e.g., on a weekly basis) and requires security data automation by aggregating and normalizing data from a variety of sources such as security information and event management (SIEM), asset management, threat feeds and vulnerability scanners,” George added.

Harrell believes that the main challenge to becoming compliant is the idea of scoping. 

“Most companies we speak to understand how to create a defensible Cardholder Data Environment (CDE) where they have isolated the systems that process credit cards. The problem comes from services ‘connected to’ the CDE,” he said. “For example, a large merchant has services for its directory of people, time synchronization, system patching for new vulnerabilities.”

“Given that these services are used throughout the whole company, how do you secure them once they get connected to the CDE?  Replication of all those services within the CDE is not feasible, so they can be challenging to secure,” Harrell continued.

Harrell also noted that becoming compliant doesn’t seem to be as hard as it is for organizations to maintain once they have achieved it.

“In general the biggest challenges are the greater need that PCI DSS 3.0 brings in understanding the systems and the flow of data within, as well as stricter controls and demands for penetration testing, physical security, data storage and more,” Abezgauz told SecurityWeek. “The bottom line is that organizations need to better understand what is happening in their own systems and then take greater measures to protect the data within.”

Overcoming the challenges

“A shift is needed in how businesses think and view compliance and security. Asking ‘Am I compliant?’ is not the same thing as ‘do I have a strong security strategy for protecting my customer’s payment card data?’ Security requires a daily coordinated focus on people, process and technology and must be part of business as usual,” Russo said about overcoming the challenges.

George believes that merchant organizations have to find ways to apply continues diagnostics and remediation.

“Big data sets can assist in putting specific behavior into context, but there are some real technological challenges to overcome. Traditional security tools operate in a silo and where not designed to also take business criticality into account to help prioritize remediation actions when dealing with huge data sets,” George noted.

“To deal with big security data and achieve continuous diagnostics, progressive organizations are leveraging Big Data Risk Management systems to automate many manual, labor-intensive tasks. These systems take a preventive, pro-active approach by interconnecting otherwise silo-based security and IT tools and continuously correlating and assessing the data they generate,” George added. 

“In turn, this enables organizations to achieve a closed-loop, automated remediation process, which is based on risk. This results in tremendous time and costs savings, increased accuracy, shorten remediation cycles, and overall improved operational efficiency.”

According to Harrell, organizations can overcome the challenges through simplification, which can be achieved through minimizing the scope of the Cardholder Data Environment by using effective segmentation techniques.

“This streamlines the compliance duties down to the systems that process credit card data and to not focus on the ones that don’t,” Harrell said. 

“The most successful companies have support from the top down and view compliance as part of their company requirements. This means hiring qualified people that stay on top of the changes and bloat that occurs over time, and are present to advocate when changes affect compliance. The least successful companies add compliance as a duty to staff that are already overwhelmed with other responsibilities and it falls off the list as a priority,” he added.

“Companies can overcome the challenges by starting early, and building a strong action plan that includes processes for mapping and inventorying, followed by procedures to update and maintain. This inventorying plan should be followed by thorough plan of securing these assets,” Abezgauz noted.

According to Roemer, organizations must understand that real compliance implies a deep commitment to protecting cardholder information and respecting the customer's right to privacy.  

“Organizations must instill a deep personal commitment to the PCI DSS and privacy policies in all of their employees who are entrusted with protecting customer data.  Audits must also include a mapping between technical risk and business risk, empowering the business to make informed long-term decisions on compliance instead of simply trying to make pesky technical security issues go away, Roemer said.

Roemer also pointed out that the DSS should be seen as a baseline that applies across all organizations, but there are unique circumstances that require additional protective measures.

“The requirements specified in the DSS should be seen as the minimum set of standards for protecting cardholder data and should be supplemented with additional measures in environments that present excessive risk,” he added. “Beginning with understanding the requirements for PCI DSS compliance, organizations need to complete the PCI self-assessment, discuss business objectives with their PCI QSA, take non-compliance seriously and take action against areas of exposure that exceed DSS requirements.”

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.