Traditional PCI DSS (Payment Card Industry Security Data Standards), as outlined by the PCI Security Council, were traditionally enforced to ensure that merchants’ perimeter payment-card security initiatives were in line with the minimum legislation, but not much more.
The standard applies to all organisations that store, process or transmit payment card data from one of the participating payment card brands, such as Visa, MasterCard or American Express, for example, says Jayson O’ Reilly, director: Sales & Innovation at DRS.
However, with the current skills crisis facing the security industry, it is no wonder that news of security breaches and the exposed financial information of high profile organisations have today become common-place.
These events hardly have legs online or in the papers for two or more days before a new, more gripping event replaces them in the front pages. In most cases, employees are sworn to secrecy to ensure that a security breach never makes the headlines.
One high profile case, for example, was when the City of Johannesburg’s servers were compromised in August this year, exposing account holders’ personal information, allowing hackers to access anyone’s account, and in turn, revealed what a financial mess the government entity finds itself in.
While this should raise major concerns for organisations that are primarily using card payment solutions for their internal and external customers to conduct business, many have become complacent.
In fact, many companies are reliant on a combined effort between their shrinking technical teams – to assure top management that their security solutions are up to scratch – and damage control policies from their public relations and legal departments, to ensure that their actual losses are never disclosed.
Many organisations’ security perimeters are beefed up only when the auditors knock on the door. Once they are given the ‘all clear’ for another financial year, companies proceed to go back to the way they have always done things… the easier, softer way.
A revised strategy is needed and the PCI Security Council has taken note. The new PCI DSS 3.0, to be released in November 2013, includes a vigilant effort to curb security breaches not only from a technological point of view, but from a company culture perspective when conducting day-to-day business as well.
A culmination from research conducted since 2010, the standard aims to further integrate security as a delicate mix of people, process and technology.
But haven’t we heard this all before? Is this not the sales pitch that every security expert sugar coats in boardrooms while top executives nod their heads in pensive agreement?
Perhaps the PCI DSS 3.0, while probably not the nirvana for all payment security woes to come, can further address and curb the reality of security breaches and their financial and reputational consequences.
In fact, it is time for organisations to realise that PCI DSS 3.0 should be part of business as usual, and not seen as a necessary evil. Every change to a business process must heed the fundamental aspects of these standards and every new software implementation should dovetail with the PCI-DSS to ensure that it is in line with its development life cycle security requirements.
There must be clear visibility to ensure that there is proper policy enforcement, that information is communicated to IT departments, and employees must demonstrate their ability to do so.
Additionally, today’s security is not just about compliance or tick-box security regiments to secure a company’s information from outside attacks, but compliance from a vendor software perspective inside the organisation.
This impacts on the enterprise and operational levels in distributed IT environments, such as ERP, CRM and supply chain management.
Through assessments, penetration testing and threat modelling, we have seen an increasing risk posed by these applications as they are now integrating with devices such as notebooks, tablets and in particular smartphones in and outside of the enterprise.
Users are often not as paranoid as security professionals, and are also not always trained on PCI standards. They can be complacent when it comes to strong passwords on desk stations and smartphones.
Entering differing and complex combinations for security verifications on these devices are still very cumbersome. Efforts to enforce these policies across multiple interfaces have changed users’ understanding of robust security to feelings of frustration towards the seemingly draconian practices enforced by their company network administrators.
This is all about to change. Enter PCI DSS 3.0. We see the new PCI standard paving a way for a new era of security, where compliance is the starting point and not the finishing line when conducting business via electronic card payments.
