Any merchant that accepts credit or debit card payments is likely familiar with the Payment Card Industry Data Security Standard. Managed by the PCI Security Standards Council (of which all the major U.S. card issuers are members), PCI DSS sets forth requirements for how card-based transactions are processed.
It mandates, among other requirements, the creation and testing of a secure network. Many of its stipulations – such as avoiding vendor defaults for passwords and encrypting cardholder data when it passes over public networks like the Internet – also double as good general cyber security advice.
Today's payment-related threats and what PCI DSS recommends
PCI DSS has evolved substantially following its initial rollout in the mid-2000s. Since then, payment security has become increasingly urgent for enterprises and small businesses:
- Major card-related incidents such as the breach at Target, which resulted in the theft of 40 million card numbers, showed that physical point-of-sale systems could be vulnerable even if they had been previously certified as PCI compliant.
- Magnetic stripe cards – key contributors to the Target hack and others – are being phased out in favor of more secure chip-and-PIN cards. But this transition has had the added effect of prompting many attackers to target e-commerce platforms instead.
- Indeed, fraud charges related to "card not present" transactions (like online purchases) climbed a third between 2011 and 2013 and could surpass $6 billion by 2018 – triple the 2011 figure, according to a CyberSource Corp. report.
- Mobile payment platforms such as Apple Pay and Android Pay have gained traction in recent years, despite security concerns. A LexisNexis study found that mobile payment had become riskier since 2010, while a 2016 PYMNTS report revealed that 28 percent of U.K. consumers were worried about mobile payment security.
- Many merchants have partnered with third-party service providers to help with their payment systems, either via cloud infrastructure (e.g., Amazon Web Services) or external payment portals. This can complicate compliance since security responsibilities are split or shared in some cases.
In this context, the PCI SSC has updated PCI DSS with more stringent requirements. For starters, it has pushed the adoption of newer forms of data encryption – TLS 1.1 or preferably TLS 1.2. Compliant merchants must move on from SSL and older forms of TLS.
This move is necessary because of the deprecation of the decades-old SSL by the National Institutes of Standards and Technology in 2014, and the weakness of it and legacy TLS against some modern attacks. Major security flaws such as the Heartbleed issue in SSL, finally uncovered that same year, demonstrated the depth of these vulnerabilities.
"[T]here are no fixes or patches that can adequately repair SSL or early TLS," explained a PCI SSC website document. "Therefore, it is critically important that organizations upgrade to a secure alternative as soon as possible, and disable any fallback to both SSL and early TLS."
The updated requirements were unveiled in 2015 and the initial deadline for June 2016. However, that deadline has since been pushed back to 2018 following feedback from the marketplace.
Still a ways to go in getting everyone up to speed on PCI DSS
The deadline extension by itself is a telling sign of the state of PCI compliance in 2016. Outdated encryption standards are still in widespread use: In November 2015, 67 percent of the websites surveyed by the PCI SSC had inadequate security measures in place. Even with the deadline years away at the time of this writing, the PCI SSC has urged merchants not to wait, lest they risk a costly breach.
Beyond encryption, there are other significant obstacles to PCI compliance at the moment. One is the migration of so many IT operations and infrastructures to public clouds such as AWS and Microsoft Azure. Relying on an external provider can be more convenient and cost-effective than running the same workloads on-premises, but it comes with possible risks to security, including changes to PCI scope.
For example, although a cloud provider might be providing the underlying infrastructure for a vendor's website and apps, that merchant is still responsible for parts of its PCI DSS compliance. So the client would be on the hook for ensuring that encryption and updated antivirus/anti-malware programs were in place, while both it and the cloud provider would need to implement firewalls.
"[M]any of the [PCI DSS] items require both parties to implement security controls," explained the authors of a 2015 Trend Micro solution brief on PCI compliance in AWS. "Outsourcing daily management of a subset of PCI DSS requirements to AWS does not remove the client's responsibility to ensure cardholder data is properly secured and that PCI DSS controls are met."
Ensuring PCI compliance is a complex task. Be sure to support your practices with comprehensive security software.