PCI SSC Chief Technology Officer Troy Leach talked with PCI Europe Community Meeting attendees in Barcelona this week about the next generation of payment security. Here we share some highlights from his presentation.
Discussing payment security trends to watch now and looking ahead, PCI SSC Chief Technology Officer (CTO) Troy Leach shared priority focus areas for evolving PCI Standards and programs, including: improved authentication, better software design for modern payments and security accountability for third parties. Here’s a snapshot of some of the key takeaways from Leach’s presentation on why these area are important to payment security, and how PCI SSC is working to address them.
IMPROVED AUTHENTICATION
“Dynamic authentication is becoming increasingly important to securing payments in an omni-channel world,” said Leach.
Why improved authentication?
- According to Verizon Business, 81% of hacking-related breaches leveraged, weak, default or stolen passwords. As criminals continue to target valid credentials like passwords, authenticating the user, the payment transaction and the integrity of the payment instrument will become increasingly important.
How is PCI SSC addressing this area?
- The PCI SSC enhanced requirements for multi-factor authentication (MFA) in PCI DSS v3.2 and published guidance earlier this year on the proper use of MFA for preventing unauthorized access to computers and systems that process payment transactions.
- Dynamic authentication technology, as utilized in EMVCO’s EMV® 3-D Secure (3DS) is also improving authentication for e-commerce and m-commerce environments, by enabling consumers to authenticate themselves with their card issuers when making purchases through web browsers or via mobile applications. This week the PCI SSC announced two new PCI Standards to further enhance the security of 3DS infrastructures and transactions.
BETTER SOFTWARE DESIGN FOR MODERN PAYMENTS
“In information security we preach about monitoring for new threats and patching when vulnerabilities are discovered,” Leach told attendees. “But this is a reactive security practice for users of third-party software already in production. And the number of vulnerabilities can be daunting. If we can be more proactive in addressing payment application security during development, however, then we have the opportunity to reduce overhead for administrators to focus on other aspects of security.”
Why is better software design important to payment security?
- There is a growing dependence on software in today’s market to manage all aspects of payment transactions and the relationship between cardholders, merchants and their financial partners. The number of new merchants grows daily, and payment technology is introducing more and more ways to connect and use account information in software programs. This means there's a broader attack surface for criminals to try to find vulnerabilities, and the increasing frequency of updates creates additional complexity. To address the pace of change in modern software, good software design and lifecycle management for developers throughout the software supply chain is critical.
How is PCI SSC addressing it?
- PCI SSC is currently working on security standards that promote software lifecycle awareness and maintaining integrity and transparency of payment security within the code design. These draft standards will be available later this year for PCI Participating Organizations and assessors to review and provide feedback on.
SECURITY ACCOUNTABILITY FOR THIRD PARTIES
“From the development to the installation of payment products to the ongoing monitoring for malicious attacks, security remains a shared responsibility. Whether it is a software developer, cloud administrator or someone installing a POS for a merchant down the street, there should be a recognition of the accountability each service provider to protect payment data to the best of their ability and be able to demonstrate that level of effort to their business partners,” Leach told attendees.
Why is security accountability for third parties important to payment security?
- Third party accountability continues to be important as businesses rely more and more on the outsourcing of services and software they operate within their enterprise. Whether it is Internet of Thing (IoT) services, application design, encrypting of cardholder data or methods to authenticate, all likely have a dependency on third parties to remain diligent in monitoring for security and maintaining good security practices.
How is PCI SSC addressing it?
PCI SSC is prioritizing security accountability for third parties in a number of ways:
- PCI DSS 3.2 introduced additional ongoing testing for third party service providers to demonstrate ongoing security, so that customers relying on those services can have more confidence in the security of the payment environment.
- The Qualified Integrator Reseller (QIR) program helps address a particularly vulnerable link in the payment chain – the installation and maintenance of payment systems. Improper and insecure setup – failure to change default passwords or turn off remote access as examples – continue to be leading causes for breaches.
- As part of its focus on software security, the PCI SSC is prioritizing software developer education, so that merchants can have confidence in the security of the products they are using.
