Avoid PCI DSS Compliancy Decline Phenomenon
To start by managing expectations, the future of PCI DSS compliance is not going to be any more exciting than it has been for the last five years and its unlikely that significant game changing technology is going to come along in the next three to five years to ‘solve’ PCI DSS at a stroke.
That is not to say that new technology will not be involved in ongoing PCI compliance efforts, and when new things come to the market merchants should be aware and evaluate new technologies on their individual merits as part of their ongoing three-to-five-year payments technology roadmap.
It is also true to say that the payment security threat landscape will not change significantly in the next three to five years; whilst we are always told by companies who have been unfortunate enough to be the subject of a data breach that they were the victim of a ‘sophisticated attack’ the threat actors and perpetrators of data breaches will continue to look for the easiest ways to exfiltrate data to make a profit out of the proceeds.
There is nothing new in Cyber Security to look forward to in 2021 according to Digital Shadow's; their conclusion in their Trends and Predictions for the New Year report is that key mitigations to treat threats remain the same as they have been for years and this continues to be reflected in current PCI DSS requirements:
patch your stuff
do not click on sketchy things
your dog's name is a terrible password!
And the Verizon 2020 Data Breach Investigations Report (Verizon) supports the fact that the same basic cyber hygiene and good methodical data security management will mitigate most threats, as has been consistently recommended for years. Verizon reveals that 'credential theft, social attacks (ie. phishing and business email compromise) and errors cause the majority of breaches (67% or more); ... these three tactics should be the focus of the bulk of most organisations’ security efforts.’
Merchants should continue to exert influence on the evolution of PCI DSS and the technologies around it by being a Participating Organisation (PO) of the PCI Security Standards Council (SSC); the PCI SSC Software Security Framework (SSF) sets the standards for software development in the payment’s environment, and merchants should be demanding of their third-party service providers (TPSP’s) and drive them towards this standard in the future. Validation and certification against the SSF demonstrate that a TPSP is serious about cardholder data (CHD) security and makes re-attestation of compliance easier for merchants to achieve, as an SSF certification can take further elements of PCI out of scope for merchants and such certifications can be especially helpful for assessment of suppliers of cloud services.
As PTSv3.0 PEDs reach their sunset date, merchant should consider opportunities for the use of commercial off-the-shelf (COTS) mobile devices (eg. tablets and smartphones) with near-field communication (NFC) to potentially replace the current hardware-based PIN entry devices. The relatively new PCI SSC standards for Software-Based PIN Entry on COTS (SPoC) Solutions enable EMV contact and contactless transactions with PIN entry on the merchant’s consumer device using a secure PIN entry application in combination with a Secure Card Reader for PIN (SCRP).
Whilst intended for smaller merchants use, there would be no reason why merchants should not investigate the opportunities to save cost, prepare for future payment trends and consumer expectations (eg. open banking) and allow for simpler device hygiene and less physical device contact which is now important with the advent of Covid19.
Over the next five years payment environment vulnerabilities should be expected to decline as payment service providers continue to innovate and increase security controls within their solutions, and as a wider variety of digital payment options evolve and take out the payment card as the risk (eg. digital wallet innovation, PayPal).
When PCI DSS compliance is achieved across all of a merchant’s payment channels PCI DSS will not ‘go-way’, and the need for Governance of ongoing PCI compliance will require continued ongoing effort to maintain, without succumbing to the dreaded PCI compliancy curve decline phenomenon.
This will require a PCI compliance management team to be constantly managing the efforts required of repeated re-attestations of compliance, with a wider group of business stakeholders being called upon to provide documentary evidence across the three pillars of compliance: people, process and technology, for the foreseeable future.
The PCI compliance management team of the future, as maintenance of compliance becomes the focus, may need different skill sets as merchant compliance programs moves away from project-based activity. The emphasis will be on a team who will have to tenaciously work with stakeholders across the merchant, to maintain PCI compliance across the year between audits, and to maintain the documentary evidence to support it, a key trend expected in PCI DSS V4.0, of which more will be covered later in a subsequent article.
Merchants will need to continue to evolve a PCI aware culture to a much wider stakeholder community than before, aligned with data governance and cyber hygiene programs, with a core PCI compliance team who are disciplined, tenacious, methodical, and thorough with the detail.
The culture of payment security must become like ‘muscle memory’, with stakeholders even considering new ways of taking payments thinking ‘security-by-design’ and knowing what PCI DSS requires and who the experts are in the PCI management team who can advise. Within the ‘muscle-memory’ secure payments culture it is essential that new payment initiatives are debated and appropriately considered from a security point of view.
This article will be followed up with a series of further articles exploring in more detail the PCI DSS Future topics touched upon here.
UKDataSecure is currently working with organisations across multiple industry sectors and ‘start-ups’, small and medium sized enterprises (SME’s), FinTech’s, retailers and others.
We can help your organisation with everything you need to secure your cardholder data environment, whether it be data security policies, incident response planning, security by design, data permeation, expert resources and experience, remote Data Security-as-a Service, training and awareness or something bespoke for your organisation.
We can also help you to achieve and certify PCI DSS compliance, as well as GDPR, ISO27001, Cyber Essentials, IASME, NIST, SOC2, NIS and CAF.
We’d love to talk to you today to see how we can help you with PCI DSS; please contact us and book a short chat this week using https://bit.ly/ukdsbookacall.
I look forward to talking through the details of the services we offer as soon as we can, and I look forward to working with new clients to achieve appropriate data risk management and information security governance and compliance as required.