• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Industry News   »   As PCI 3.1 deadline is pushed back, online merchants face big risks

As PCI 3.1 deadline is pushed back, online merchants face big risks

  • Posted on:June 23, 2016
  • Posted in:Industry News, Security
  • Posted by:Christopher Budd (Global Threat Communications)
0
PCI DSS is designed to protect card payments.

Any merchant that accepts credit or debit card payments is likely familiar with the Payment Card Industry Data Security Standard. Managed by the PCI Security Standards Council (of which all the major U.S. card issuers are members), PCI DSS sets forth requirements for how card-based transactions are processed.

It mandates, among other requirements, the creation and testing of a secure network. Many of its stipulations – such as avoiding vendor defaults for passwords and encrypting cardholder data when it passes over public networks like the Internet – also double as good general cyber security advice.

Today's payment-related threats and what PCI DSS recommends

PCI DSS has evolved substantially following its initial rollout in the mid-2000s. Since then, payment security has become increasingly urgent for enterprises and small businesses:

  • Major card-related incidents such as the breach at Target, which resulted in the theft of 40 million card numbers, showed that physical point-of-sale systems could be vulnerable even if they had been previously certified as PCI compliant.
  • Magnetic stripe cards – key contributors to the Target hack and others – are being phased out in favor of more secure chip-and-PIN cards. But this transition has had the added effect of prompting many attackers to target e-commerce platforms instead.
  • Indeed, fraud charges related to "card not present" transactions (like online purchases) climbed a third between 2011 and 2013 and could surpass $6 billion by 2018 – triple the 2011 figure, according to a CyberSource Corp. report.
  • Mobile payment platforms such as Apple Pay and Android Pay have gained traction in recent years, despite security concerns. A LexisNexis study found that mobile payment had become riskier since 2010, while a 2016 PYMNTS report revealed that 28 percent of U.K. consumers were worried about mobile payment security.
  • Many merchants have partnered with third-party service providers to help with their payment systems, either via cloud infrastructure (e.g., Amazon Web Services) or external payment portals. This can complicate compliance since security responsibilities are split or shared in some cases.

In this context, the PCI SSC has updated PCI DSS with more stringent requirements. For starters, it has pushed the adoption of newer forms of data encryption – TLS 1.1 or preferably TLS 1.2. Compliant merchants must move on from SSL and older forms of TLS.

This move is necessary because of the deprecation of the decades-old SSL by the National Institutes of Standards and Technology in 2014, and the weakness of it and legacy TLS against some modern attacks. Major security flaws such as the Heartbleed issue in SSL, finally uncovered that same year, demonstrated the depth of these vulnerabilities.

"[T]here are no fixes or patches that can adequately repair SSL or early TLS," explained a PCI SSC website document. "Therefore, it is critically important that organizations upgrade to a secure alternative as soon as possible, and disable any fallback to both SSL and early TLS."

The updated requirements were unveiled in 2015 and the initial deadline for June 2016. However, that deadline has since been pushed back to 2018 following feedback from the marketplace.

Still a ways to go in getting everyone up to speed on PCI DSS

The deadline extension by itself is a telling sign of the state of PCI compliance in 2016. Outdated encryption standards are still in widespread use: In November 2015, 67 percent of the websites surveyed by the PCI SSC had inadequate security measures in place. Even with the deadline years away at the time of this writing, the PCI SSC has urged merchants not to wait, lest they risk a costly breach.

Beyond encryption, there are other significant obstacles to PCI compliance at the moment. One is the migration of so many IT operations and infrastructures to public clouds such as AWS and Microsoft Azure. Relying on an external provider can be more convenient and cost-effective than running the same workloads on-premises, but it comes with possible risks to security, including changes to PCI scope.

For example, although a cloud provider might be providing the underlying infrastructure for a vendor's website and apps, that merchant is still responsible for parts of its PCI DSS compliance. So the client would be on the hook for ensuring that encryption and updated antivirus/anti-malware programs were in place, while both it and the cloud provider would need to implement firewalls.

"[M]any of the [PCI DSS] items require both parties to implement security controls," explained the authors of a 2015 Trend Micro solution brief on PCI compliance in AWS. "Outsourcing daily management of a subset of PCI DSS requirements to AWS does not remove the client's responsibility to ensure cardholder data is properly secured and that PCI DSS controls are met."
   
Ensuring PCI compliance is a complex task. Be sure to support your practices with comprehensive security software.

Related posts:

  1. PCI council clarifies virtualization risks
  2. Online social networking continues to face cyber threats
  3. October 1, 2015: Happy EMV Day! What it means for you
  4. PROTECTING YOUR PRIVACY – Part 1: The Privacy Risks of Social Networks and Online Browsing

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Detected Cyber Threats Rose 20% to Exceed 62.6 Billion in 2020
  • Trend Micro Recognized on CRN Security 100 List
  • Trend Micro Reports Solid Results for Q4 and Fiscal Year 2020
  • Connected Cars Technology Vulnerable to Cyber Attacks
  • Trend Micro Asks Students How Their Relationship to the Internet Has Changed During COVID-19
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.