Verizon recently released its 2017 Payment Security Report. In advance of the upcoming North America PCI Community Meeting in Orlando, PCI SSC CTO Troy Leach addresses trends and findings from the report.
The report highlights the fact that organizations are not consistently maintaining security controls year-round, leaving them vulnerable to security breaches and data compromise. Why is this happening and what can be done to fix it?
Troy Leach: The fact that organizations are not consistently maintaining security controls on an ongoing basis was a key driver for changes introduced in PCI Data Security Standard (PCI DSS) version 3.2., which focus on helping organizations confirm that critical data security controls remain in place throughout the
Every sound security program needs to focus on three elements: people,
Can you address the fact that according to the report, not one breached company that Verizon investigated was found to be compliant?
Troy Leach: PCI DSS compliance is an important aspect of a security program, but as we’ve always said, security can’t start and end with compliance. The focus must be on establishing ongoing security processes to prevent, detect and respond to attacks that can lead to data loss. Good security practices will lead to the ability to demonstrate effective controls remain in place which is what compliance tries to achieve.
PCI DSS 3.2 emphasizes the importance of viewing security as an organic process that evolves with the company as an ongoing effort and not a yearly assessment to correct behavior, and
In today’s payment environment, the one constant
Organizations need to consistently monitor for new threats and develop a process to address those discoveries and make sure they are addressing security-relevant changes, like personnel changes, technology upgrades and new vulnerabilities discovered with existing technology.
Additionally, ‘PCI DSS-compliant’ is to confirm for that moment in time, the processes exist to have a reliable defense. But it must be inclusive of all relevant systems. Some breaches occur when systems not evaluated are the point of compromise. Verizon gives a great example in their report of a wireless network that was not assessed but should have been.
To address that concern, the new PCI DSS Requirement 11.3.4, which becomes effective as a requirement February 1, 2018, asks for organizations to perform penetration tests on the boundaries of their cardholder data environments to have confidence in the segmentation is effectively working.
Requirement 1.1.3 already required organizations to have a dataflow to know where all cardholder data is but as mentioned earlier with the constant change of technology and process, this can be a difficult task to keep up with if not using some help from automation.
Speaking of automation, one of the recommendations coming out of the report is “automate everything possible.” Is this something that can help with establishing security as an ongoing process?
Troy Leach: Absolutely. We constantly encourage
Also, if done properly, then organizations have the ability to collect relevant data to establish quantitative metrics that will not only improve security but also has the ability to demonstrate other improvements such as organizational efficiency.
The report also recommends investing in developing expertise. What are your thoughts on this?
Troy Leach: Education and training
We’ve seen a global shortage in cybersecurity skills, and as criminals continue to target payments, security skills are critically important to the payment industry moving forward.
This need and demand
Can you share your thoughts on how the PCI DSS will evolve based on the threat landscape?
Troy Leach: The PCI Data Security Standard is a mature standard, addressing essential elements of data security. When implemented and maintained properly, the PCI DSS helps businesses safeguard payment data and detect, mitigate and prevent criminal attacks and breaches. While we will continue to evolve the standard as needed, our focus looking ahead is how we can we increase and improve adoption of these data security essentials for businesses of all sizes and types.
We are working with the industry on ways in which we can provide greater flexibility for organizations to focus on the security controls needed to protect payment data and reduce
We also continue to look at ways to minimize where PCI DSS requirements need to be applied, whether it's
Any final thoughts?
Troy Leach: The numbers in this report demonstrate there is progress being made over time as more and more organizations are taking payment seriously and maturing their processes. While 100% compliance for interim assessments has improved to slightly over half, looking at each requirement, the gaps are closing to a healthy level of incremental change rather than monolithic gaps in compliance. That means the overall cost of compliance is diminishing as we work together as an industry to maintain a high-level of trust in each and every payment channel.
As the pace of criminal activity increases, establishing and maintaining sustainable security processes that can adapt and react to change more quickly is increasingly important. This is something we’ll be talking about at our upcoming North America Community Meeting in Orlando.
Join global payment and security leaders to discuss this and other pressing matters to the security of payments at the North America Community Meeting in Orlando.