PCI Standards: Room for Improvement

Kelly Jackson Higgins reports on the Dark Reading Website that Joshua Corman, research director for the enterprise security practice at The 451 Group, believes that the forthcoming PCI version 2.0 going into effect this fall "needs more teeth."

"The standard in its current 1.2 and 2.0 forms is not sufficient to prevent attack from a determined adversary," in Corman's opinion.

Gary Palgon, lead chair for the PCI SSC Scoping Special Interest Group's tokenization working group, said in a blog post that the card brands themselves may be hindering PCI's success, as some continue to issue their own, independent standards for PCI compliance instead of conforming exclusively to PCI SSC-derived standards. "Having a universal, singular standards set is paramount for easing compliancy requirements and reducing complexity for merchants and service providers alike."

Palgon, who is also VP of product management at nuBridges, a tokenization vendor, says that while the new PCI changes clarify many of the PCI requirements, more specific guidance is needed for emerging technologies, such as encryption and tokenization -- both of which are due to arrive with the new spec this fall

"As the lead chair for the PCI SSC Scoping Special Interest Group’s Tokenization Working Group," notes Palgon in his blog post, "I am helping drive efforts to ensure that guidance on these important security technologies will be forthcoming. Just as the industry’s needs with regard to protecting enterprise data are evolving rapidly, such guiding standards need to be put into place more quickly, as well."

Bob Russo, general manager of the PCI Standards Council, suggests that PCI DSS now reinforces the need for a "scoping exercise" to identify bundled cardholder data. "We're not endorsing any discovery tools. But before you bring in a QSA, you really need to use some kind of methodology to find where cardholder data is on the network," he says. "Before, we hadn't really talked about using any of these methodologies. We just said you should know where your data is. We are now encouraging people to reach out using one of these discovery methods."

The PA-DSS is also now more closely aligned with the PCI DSS. The spec adds a requirement for payment applications to support centralized logging, which is part of PCI DSS. "Centralized logging is really important to us," Russo says.

There is also accommodation for risk tolerance factors in the new PCI Data Security Standard, and low risk issues "don't necessarily have to be addressed."

"Another clarification," notes Jackson, "addresses PCI DSS 3.3 and 3.4, which require that payment application passwords be made unreadable (encrypted) while being transmitted and stored. The clarification notes that this applies only to the primary account number (PAN)."

Jaikumar Vijayan of Computerworld reports that according to Gartner Analyst Avivah Litan many Gartner clients are trying to understand whether their adoption of new technologies such as chip cards, tokenization and end-to-end encryption will limit the scope of their compliance requirements. Most of the clarifications around such issues, however, have been left for Special Interest Groups (SIG) to figure out. "These SIGS are not being held to any particular deadlines and it's still unclear how their reports will fold into PCI requirements," said Litan.

"The PCI Security Council's guidance around virtualization technologies is going to be another area that is going to be closely watched," according to James Paul, Senior VP, Delivery at Trustwave, says Vijayan. Trustwave provides PCI assessment services for many of the largest retailers in the country. Many Trustwave customers want to know today if their use of virtualization technologies will increase the scope of their PCI requirements, said Paul. "It's an emerging technology. There are a lot of questions around it. There are a lot of people somewhat hesitant to dive into it until they see some guidance."