The next version of the PCI DSS standard for securing credit card data is likely to require or strongly urge merchants to invest in tokenisation, encryption and dynamic authentication, according to two of the council’s most senior members.
At the sidelines of the PCI Security Standards Council community meeting in Sydney this week, the council’s CTO Troy Leach and international director Jeremy King were asked how the payments industry needed to respond to a string of data security breaches that have stung some of the world’s largest retailers.
Attacks on Target, Kmart, Home Depot, Staples, Neiman Marcus and Dairy Queen have brought the security practices of retailers into sharp focus and has led some analysts to argue that the bar for PCI compliance – as a baseline of IT security for those that hold credit card data - needs to be raised.
The breach at Target left 40 million cardholders vulnerable, while attacks on Home Depot’s systems exposed closer to 56 million cards, at huge cost to issuers. Trustwave, the PCI auditor of Target, was threatened with a lawsuit by affected issuers over the matter.
The breaches have put considerable pressure on the council that sets the Payments Card Industry Data Security Standard, which is made up of representatives of the major credit card schemes (American Express, Mastercard, Visa et al) and volunteers from within the financial services and retail industries.
The council's international director Jeremy King said that while the standard already protects against many of the problems surfaced in the attacks, several issues have been brought into clearer focus.
Firstly, that compliance shouldn’t be a one-off audit activity, but rather a part of doing business, and additionally, that PCI compliance "isn’t just about keeping the wrong guys out of the system".
“There are requirements and processes we are working on targeted at trying to identify that there is someone in your system that shouldn’t be there,” King said.
He recommended the centralising of logging systems, so security administrators can detect unorthodox movements of data or transactions inside their networks.
“If you can identify that anomaly, and reduce the time [attackers] are inside your systems, the impact will likely be lessened."
The council’s CTO Troy Leach noted that signature-based security tools struggle to identify the zero day exploits that so often provide attackers unauthorised systems access. And even when they do, merchant approaches to incident response have shown to be sorely lacking.
In several of the attacks on retailers, “the security team was notified before it became a problem".
“So they had the right monitoring software in place to detect this, but they didn’t have the right response mechanism for it,” Leach said.
Encryption and tokenisation
The council is looking into how the use of encryption and tokenisation might play a part in future updates to the standard.
It is now all but accepted that attackers will get access to credit card data – the next strategy is to strip stolen data of value.
“Criminals are attacking because there is value,” Leach said. “The key question now is - what can we do to make payment card data dynamic so it has no resale value for a criminal?”
The PCI standard today recommends the encryption of cardholder data when it is transferred across open, public networks. Leach hinted that requirement might extend further in the future.
Where encryption isn’t practical, tokenisation might be a useful alternative, he noted. Tokenisation swaps out sensitive data for a ‘token’ substitute which only the approved owner or user of the data can readily translate.
“Using tokenisation – a criminal might steal what looks like an account number, only to find it’s not something they can sell on the black market,” Leach said.
“That’s where we’ll need to focus more heavily. We need to create dynamic data that has no value to the criminals, so that even if a large merchant loses seven million tokens, there is no loss to the merchant or consumer.”
Tokenisation will also ensure that the data a merchant stores on its computer systems won’t be much of a prize for malware writers.
“One thing that’s come into clear focus because of these breaches is that it wasn’t necessarily about an attack on a point of sale terminal, but rather the back office computers that were part of the broader PoS system and running unpatched, outdated software,” Leach said.
Should the merchant download a data set to a computer infected with malware, the use of tokenisation means it won’t necessarily expose cardholder data to a criminal.
King said tokenisation and dynamic authentication will become key issues in Australia as magnetic stripe cards are replaced with chip and pin.
He expects that like the UK has experienced previously, the change will reduce face-to-face fraud, and shift more of the fraud to the card-not-present space.
Future versions of the standard will also have to consider the evolving use of mobile networks for completing transactions.
“The focus of the mobile telcos has been on connecting calls and passing lots of information,” King said. “It’s not been about payments and data security.
“New technology has brought new people into the payments space that don’t have any experience in data security. We have to train up a whole new group of people about why data security is important."
That’s been difficult to date, Leach noted, as every major technology company, retailer and bank are desperately trying to win their place in the mobile payments ecosystem.
“Its hard to get a standard around mobile payments because it's evolving so quickly,” he said.
Read on to learn about the more immediate changes to the PCI standard…
Merchants have until the end of the year to comply with version 3.0 of the PCI DSS standard, which was introduced in November 2013.
A key theme in the version is to reinforce how merchants should view PCI compliance within the context of outsourcing to third party cloud service providers and other outsourcers.
“You’ve seen the majority of the data breaches reported [involved] third parties having access to sensitive information,” Leach said.
“We should have expected it [well before the big retail breaches] because as an industry there is more outsourcing going on, more dependencies on outsourced service providers and third party software services.”
One of the main problems was that merchants had confused the PCI compliance their cloud service providers offered via their contracts - related to protecting the merchant's credit card details - has also covered the services the merchant offered customers that were underpinned by the cloud service.
“They thought that once they had outsourced to some random third party, that their responsibility was done,” Leach said. “That was never the case – they are still responsible to protect it.”
Version 3.0 therefore provides new requirements on third parties. Merchants have also separately been handed documents that Leach describes as “ammunition” to seek better security controls from cloud service providers.