PCI 3.0 Gets Positive Initial Reviews from Security Pros

For many IT professionals, the letters “PCI DSS” conjure painful memories of invasive audits of internal systems that, in the end, generated hundreds of billable hours for compliance experts but did little to actually boost security. While the PCI 3.0 standard that was previewed last week won’t eliminate deep scrutiny, it may actually boost security, experts say.

The PCI Security Standards Council (PCI SSC) last week issued a preview of version 3 of the Payment Cardholder Industry Data Security Standards (PCI DSS). According to the PCI SSC, the new standard “will help companies make PCI DSS part of their business-as-usual … by introducing more flexibility, and an increased focus on education, awareness, and security as a shared responsibility.”

To that end, the PCI SSC highlighted several changes that are on tap for PCI DSS 3.0. This includes: building security policy and operational procedures into each requirement; providing guidance for all requirements; giving more flexibility around password strength and complexity; delivering new requirements for point of sale (POS) terminal security; adding more robust requirements for penetration testing and validating segmentation; delivering new considerations for cardholder data in memory; providing better testing procedures; and requiring software vendors to achieve compliance, including threat modeling.

One security expert applauding the changes is Philip Lieberman, CEO of security software company Lieberman Software. “The new PCI 3.0 standard is long overdue,” Lieberman said in a written statement. “For most merchants, the existing PCI standard is one-time pain per year where things are cleaned up, and the bad security practices return almost immediately after the auditor leaves.”

The new standard also appears to recognize that perimeter breaches are a regular occurrence and that additional focus is needed on securing databases and applications, not just the network. “Given that the perimeter is no longer secure, the only real mitigation is to have persistent controls within the interior that are both human and technological to minimize losses,” Lieberman said.

By moving the focus toward implementing good security processes and away from compliance, the new PCI standards will hopefully put merchants on the right track toward protecting their data. This should, at the same time, help security software companies while hurting unscrupulous auditors, Lieberman said.

“The old PCI standard generated very little business for us and little security for merchants,” he said. “It was a boon to auditors and charlatans that provided PCI certifications for boatload of money yet delivered little to nothing of any real value to their clients.”

That sentiment was echoed by Pierluigi Stella, CTO of managed security services provider Network Box USA. “I’m incredibly relieved to hear that PCI needs to be more focused on security and less on filling up check marks to reach compliance. Because, as I’ve stated on numerous occasions, compliance doesn’t make you secure, while security will likely make you compliant.”

The PCI 3.0 standards are still up for review by the PCI community and are scheduled to be officially published in November.

RELATED STORIES

Focus on Network Security Overlooks Importance of Protecting Data, Oracle Study Finds

The 10-Year Security Itch Needs Scratching

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot