Mastercard to Recommend NIST CSF for Continuous Security Between PCI Audits
Cybersecurity for a business model like Mastercard is complex. First, it has the fundamental need to protect its own networks. Second, however, it has a huge global franchise that must also be kept secure to maintain trust in the product.
Security for Mastercard’s own infrastructure is led by Chief Information Security Officer (CISO) Ron Green. Security for the franchise ecosphere is handled separately by EVP for security and cyber innovation, Johan Gerber.
For the franchise, Gerber focuses on four pillars. The first comprises local products — such as the ability to detect suspicious activity that may be automated criminal activity testing the status of large batches of stolen cards. The second pillar is to help the franchise. “For example,” Gerber told SecurityWeek, “we’ve created toolkits for small businesses comprising a bunch of free tools we give them to help them increase their cyber posture — and we’re doing things to help customers recover their stolen identities.” And there is more to come, he added.
The third pillar is around education and collaboration. “We’ll partner with other cybersecurity entities and non-profit organizations, governments, and universities — not just to share information through various fusion centers but also to create education programs. We’ll partner with universities to create cybersecurity certifications, programs for our customers, for board members, for senior executives, for engineers, and so forth.”
The fourth pillar is standards — and here Mastercard will be making new announcements in January 2020. This will be in addition to the existing PCI DSS standard. The problem with PCI DSS — although a thorough and effective requirement — is it is a standard supported by annual audits rather than a continuous security framework. The Mastercard ecosystem of merchants and retailers, along with the ecosystem of all other payment card companies, must comply with PCI DSS and prove it with once-yearly audits. Between the audits, however, there is no enforceable requirement for sustained compliance.
The Verizon 2019 Payment Security Report, published in November 2019, points out that while PCI DSS conformance at the time of an audit is increasing, PCI sustainability between audits is declining. Verizon notes that in its own forensic breach investigations, no single relevant company was PCI compliant at the time of the breach. Verizon’s recommendation is the use of a security framework it calls the ‘9-5-4 Compliance Program Performance Evaluation Framework.’ (nine factors, five constraints and four lines of assurance) to ensure security sustainability.
Gerber recognizes the problem, but plans to take Mastercard and its franchise ecosphere along a slightly different route. The difficulty with simply relying on PCI DSS, he suggests, is down to the speed of modern business. “As the world is moving to a more agile development environment, you see new releases coming way faster than they did in the past; and every time you do a new software release or system release, you may no longer be PCI compliant. So, in theory, after a successful PCI audit, you may be compliant just until a day or two after you got certified.”
He has a team within Mastercard working on the problem, aiming to ensure a more sustained security even beyond the letter of the PCI compliance requirements. The intent, he says, is to ensure the Mastercard franchise has a “security by design framework as the members develop in agile, and to make sure the security by design framework is applied throughout the development cycle. So, it may not be a certification program, but it’s basically just embedding these right designs.” The purpose is to help Mastercard customers really embrace a security framework that provides a more sustained level of security.
“We’re not planning to put a great new burden on the industry,” he told SecurityWeek. “The essence of what we want to do with the cybersecurity standards program is to say, look, PCI DSS is still the foundation that we want to leverage — so if you process any consumer payment data you need to be PCI compliant.”
But for the sustainability element, he adds, “If you have any data where you don’t necessarily need to be PCI compliant, then we’re recommending as a best practice that you follow the NIST program. That is what we’re saying. It’s just to start raising the bar — we’re putting out recommendations of how people should be looking at continuous cybersecurity — what types of programs and standards they can use as a best practice to improve their security. So, it’s not a very complicated thing. It’s basically for everything that does not need to be PCI DSS compliant, but where you’re still holding sensitive data, we want you to really look at the NIST standards and apply those.” It’s really about, he added, how our customers can secure their whole infrastructure rather than just payment or other personal data.
While the recommendation for NIST CSF conformance within its own franchise will be announced in January 2020, it will be just a recommendation — but this may not last. “Mastercard regularly evaluates our recommendations and requirements in relation to the changing threat landscape,” Gerber told SecurityWeek, “and our posture and resolve on protections offered by the new NIST CSF recommendation may evolve and strengthen over time.”
The potential for this new recommendation to become a Mastercard requirement, just like PCI DSS, is clear. This is how the firm has operated in the past with new evolutions of PCI DSS. “Historically,” Gerber’s office told SecurityWeek, “our PCI compliance program has previewed future requirements to the industry by first introducing them as recommendations and best practices. Often, we introduce new rules around PCI compliance following some time as a recommendation. Once shifted to a requirement, it is typically future dated (sunrise date) to further allow customers time to meet the new expectations.”
It won’t happen overnight, but January’s recommendation for the use of NIST CSF by the Mastercard franchise may well turn into a requirement in the future. Savvy companies won’t wait. If and when it happens, Mastercard will support the process with advice and tools; but the basic requirement is clear: “The need is to persuade organizations that compliance is a route to good security rather than just a pain point that has nothing to do with security,” said Gerber.
Related: PCI Security Standards Council Releases PCI DSS Version 3.2
Related: NIST Small Business Cybersecurity Act Becomes Law
Related: A Crash-Course in Card Shops
Related: NIST Publishes Second Draft of Cybersecurity Framework