What do stakeholders need to know about PCI Security Standards in 2019? PCI SSC Chief Technology Officer Troy Leach provides an update on what to expect for changes to existing standards and a look at those in development this year.
How is PCI SSC adapting PCI Standards to reflect changes in payments?
Troy Leach: If I look at the biggest changes in technology, especially technology used for payment acceptance, it comes down to three significant changes over the past several years: speed of delivery, diversity of payment acceptance methods and third-party dependency. PCI Standards are evolving to address these changes in technology and to meet the needs of the global payment card industry.
What are some examples of how PCI Standards are evolving to address these changes?
Troy Leach: We are seeing new software releases happening faster than traditional testing can sustain. At the same time, constantly changing cloud environments challenge an entity’s ability to demonstrate security as part of an assessment. PCI Standards are addressing this with a greater focus on design and outcome-based testing, which enables a more proactive and flexible approach to security that can be adapted and sustained. Recent examples of this include PCI Standards for securing 3DS authentication as well as secure software development. This approach also enables our standards to be adaptive to support new payment methods as they are introduced, without creating a new standard for each scenario.
What about third-party dependency? How is PCI SSC addressing this aspect of payments today?
Troy Leach: The proliferation of third-party players in the payment process creates new challenges and risks for securing payment data. We’ve addressed this through the work of our Special Interests Groups (SIG), providing guidance to the industry on managing supply chain risk, and with additional security requirements for third-parties in the PCI Data Security Standard (PCI DSS) and other PCI Standards.
Additionally, the need for third-party security assurance is a key driver for the development of PCI Standards for solution providers that have access to cardholder data environments, such as the Token Service Provider (TSP) and Point-to-Point Encryption (P2PE) Standards, as well as our newest standards for mobile device payment acceptance.
We are also tackling this aspect through developer education. The new Secure Software Lifecycle Standard provides organizations with a structure for educating developers about how to properly secure payment data during development and a testing approach to demonstrate, as a third-party, good security practices.
Which PCI Security Standards are being updated in 2019?
Troy Leach: Several standards are due for updates this year including our Point-to-Point Encryption and PIN Transaction Security Point-of-Interaction (PTS POI) Standards and a new Annex for the Software-based PIN-entry on COTS (SPOC) Standard. These standards are being updated to address emerging attacks, improve the reporting practices required for assessment of payment products and address security for additional payment acceptance scenarios.
What are the new PCI Security Standards in development?
Troy Leach: It’s hard to believe, but by the end of 2019 we expect to have 15 PCI Security Standards. This includes the new software security standards that were published in January, and a new mobile standard for contactless payments that use COTS (commercial off-the-shelf) devices.
We’ve had standards for traditional contactless payments for years, but the PCI Contactless Payments on COTS Standard focuses on a new area for us - identifying security strategies for demonstrating a transaction can remain secure using a COTS mobile device. It’s anticipated for an end of 2019 release.
Probably most attention is being paid to the next version of PCI DSS that is currently under development. Timing of PCI DSS version 4.0 will be determined based on feedback received during the development period, but it is not anticipated for publication prior to late 2020. The next request for comments (RFC) for PCI DSS is planned for the second half of the year and will be discussed at our North America, Europe and Asia-Pacific Community Meetings.
How can organizations be involved in the development process for these new PCI Security Standards?
Troy Leach: I’m glad you asked as we introduced many new changes this year for those interested in payment security to participate. We have several new procedures associated with our request for comments (RFC) process. Some of the changes include more advanced communications on RFC opportunities and a more formal response to all feedback received, as well as transparency of feedback submitted for those involved. Organizations can check out our RFC-at-a-Glance infographic for a quick understanding of the process, and we’re planning a webinar on it later this year for PCI SSC stakeholders.
In addition to the RFC process, we continue to provide opportunities for involvement through participation in Task Forces such as encryption, software design or mobile acceptance. Additionally, we host industry-specific events, which include our upcoming Acquirer Forums first in Las Vegas during ETA Transact and then in London, our annual Community Meetings and regular meetings for our Board of Advisors, Technical Advisory Board and Regional Engagement Board, which are elected positions.