In August, TechTarget spoke with Avivah Litan, Vice President and Research Director, Gartner, Inc. at the Gartner Security & Risk Management Summit. She provided her perspective on Payment Card Industry Data Security Standard (PCI-DSS) 3.0. Here are the main highlights:
- PCI-DSS 3.0 is approximately 27% “larger” (Read: more burdensome) than its predecessor. Despite it being “good security”, PCI-DSS 3.0 is becoming “incredibly onerous for most merchants”.
- Litan explained that retailers are being forced into accepting responsibility for handling the security system and its compliance. However, banks and processors really need to be accountable as well. She explained that they (retailers, banks and processors) should have worked together to develop and implement CHIP, P2P encryption and tokenization years ago. Instead, the burden (and risk) is now shifting to the merchants. It isn’t right because the merchants “are being asked to patch an insecure system”.
- The survey also referenced the recent Verizon PCI Survey noting that Requirement 11 is the least met condition. This requirement encompasses data segmentation, vulnerability scanning, and penetration testing (AKA Pen Testing). High profile breaches, like Target where there was inadequate segmentation between the HVAC and Payment networks, have prompted changes in data segmentation. Consequently, card data must be isolated within the network to avoid vulnerability risk. Penetration testing seeks to ensure stronger segmentation and security, thereby raising the bar to unprecedented levels so that the cyber criminals can’t crack the system.
- Litan also mentioned the increased requirements around remote access (Requirement 8.5.1) and Data Responsibility (12.9) between the merchant and third party vendors. Essentially, service providers must explicitly attest to their compliance and notify their customers (the merchants) in writing that they are compliant. It’s an important step in clarifying roles and avoiding conflicts between customers and service providers. Prior to this new requirement, compliance was implicit rather than explicit.
We’ll keep you posted on how these new requirements impact the industry as well as upcoming regulatory changes.