Council CTO on Verizon’s Payment Security Report

Verizon recently released its 2017 Payment Security Report. In advance of the upcoming North America PCI Community Meeting in Orlando, PCI SSC CTO Troy Leach addresses trends and findings from the report.  

The report highlights the fact that organizations are not consistently maintaining security controls year-round, leaving them vulnerable to security breaches and data compromise. Why is this happening and what can be done to fix it?

Troy Leach: The fact that organizations are not consistently maintaining security controls on an ongoing basis was a key driver for changes introduced in PCI Data Security Standard (PCI DSS) version 3.2., which focus on helping organizations confirm that critical data security controls remain in place throughout the year, and that they are effectively tested as part of the ongoing security monitoring process.

Every sound security program needs to focus on three elements: people, process and technology. Organizations that work with trusted partners such as trusted service providers or Qualified Integrators and Resellers (QIR)  who are trained to install and maintain payment applications in a secure way, as well as implement tamper-tested technology, like approved PIN Transaction Security (PTS) terminals and other devices, put themselves in a better position to detect and defend against attacks.

Can you address the fact that according to the report, not one breached company that Verizon investigated was found to be compliant? 

Troy Leach: PCI DSS compliance is an important aspect of a security program, but as we’ve always said, security can’t start and end with compliance. The focus must be on establishing ongoing security processes to prevent, detect and respond to attacks that can lead to data loss. Good security practices will lead to the ability to demonstrate effective controls remain in place which is what compliance tries to achieve.

PCI DSS 3.2 emphasizes the importance of viewing security as an organic process that evolves with the company as an ongoing effort and not a yearly assessment to correct behavior, and specifically the importance of validating that security controls are in place and working, as part of the ongoing security monitoring process.  

In today’s payment environment, the one constant is change.  Whether that is the payment acceptance technology, supporting architecture or simply new personnel assuming responsibility for protecting payment data.  PCI DSS identifies risk-based activities that must be in place to constantly evaluate both the changes as well as potential new threats since the last assessment.

Organizations need to consistently monitor for new threats and develop a process to address those discoveries and make sure they are addressing security-relevant changes, like personnel changes, technology upgrades and new vulnerabilities discovered with existing technology.

Additionally, ‘PCI DSS-compliant’ is to confirm for that moment in time, the processes exist to have a reliable defense.  But it must be inclusive of all relevant systems.  Some breaches occur when systems not evaluated are the point of compromise.  Verizon gives a great example in their report of a wireless network that was not assessed but should have been.

To address that concern, the new PCI DSS Requirement 11.3.4, which becomes effective as a requirement February 1, 2018, asks for organizations to perform penetration tests on the boundaries of their cardholder data environments to have confidence in the segmentation is effectively working.

Requirement 1.1.3 already required organizations to have a dataflow to know where all cardholder data is but as mentioned earlier with the constant change of technology and process, this can be a difficult task to keep up with if not using some help from automation.

Speaking of automation, one of the recommendations coming out of the report is “automate everything possible.” Is this something that can help with establishing security as an ongoing process?

Troy Leach: Absolutely. We constantly encourage use of automation where possible to react to log monitoring and other security notifications, as well as frequent fine-tuning of the controls.  The security technology has come a long way in a short period of time to help assist companies in managing PCI DSS controls.  Technology exists to know if you swap routers that cardholder data is being redirected or access rules are not in place when exchanging firewalls.  Automation is one of the best tools for maintaining PCI DSS compliance.

Also, if done properly, then organizations have the ability to collect relevant data to establish quantitative metrics that will not only improve security but also has the ability to demonstrate other improvements such as organizational efficiency.

The report also recommends investing in developing expertise. What are your thoughts on this?

Troy Leach: Education and training is critical. Organizations need to train their people internally, and where they don’t have expertise find ways to outsource payment processing to subject matter experts that are knowledgeable in modern threats to payments and associated mitigating controls..

We’ve seen a global shortage in cybersecurity skills, and as criminals continue to target payments, security skills are critically important to the payment industry moving forward. 

This need and demand is one of the reasons we are introducing the new Associate QSA program, so we can bring in new cyber talent to the industry. Also, our Internal Security Assessor (ISA) and PCI Professional (PCIP) training programs focus on building internal expertise, while the growing Qualified Integrator and Reseller (QIR) program is training merchant partners to address the critical yet simple security vulnerabilities that are causing the majority of breaches today.

Can you share your thoughts on how the PCI DSS will evolve based on the threat landscape?

Troy Leach: The PCI Data Security Standard is a mature standard, addressing essential elements of data security. When implemented and maintained properly, the PCI DSS helps businesses safeguard payment data and detect, mitigate and prevent criminal attacks and breaches. While we will continue to evolve the standard as needed, our focus looking ahead is how we can we increase and improve adoption of these data security essentials for businesses of all sizes and types.

We are working with the industry on ways in which we can provide greater flexibility for organizations to focus on the security controls needed to protect payment data and reduce risk for their for their payment environments, and to demonstrate that they have these practices in place. One such example is our Small Merchant Task Force, made up of payment security experts and small business partners. The task force has developed the PCI Payment Protection Resources for Small Merchants which are payment security resources for small merchants presented with approachable, common-sense language.

We also continue to look at ways to minimize where PCI DSS requirements need to be applied, whether it's through point to point encryption that reduces the scope of the number of assets that have to be evaluated or it’s different payment technology that no longer is dealing with static account information.  We published a standard for Token Service Providers as one example of our work in that area.  These types of things are daily conversations here at the PCI Council, and we are working to drive innovation through these technologies so that the standard remains relevant to newer security risks and ongoing changes in payment acceptance.

Any final thoughts?

Troy Leach: The numbers in this report demonstrate there is progress being made over time as more and more organizations are taking payment seriously and maturing their processes.  While 100% compliance for interim assessments has improved to slightly over half, looking at each requirement, the gaps are closing to a healthy level of incremental change rather than monolithic gaps in compliance.   That means the overall cost of compliance is diminishing as we work together as an industry to maintain a high-level of trust in each and every payment channel.

As the pace of criminal activity increases, establishing and maintaining sustainable security processes that can adapt and react to change more quickly is increasingly important. This is something we’ll be talking about at our upcoming North America Community Meeting in Orlando.

Join global payment and security leaders to discuss this and other pressing matters to the security of payments at the North America Community Meeting in Orlando.