Payment Card Industry Data Security Standard (PCI DSS 3.0) was put in place to take things up a notch in the pursuit of safeguarding and improving the security of card transactions.
But that’s not enough, says Joe Majka, VP and Chief Security Officer of Verifone, who spoke with PYMNTS last week.
Security officers at firms large and small should go over and above what is codified to help make sure payment card data is as secure as possible, and should not let EMV lull them into a false sense of security.
The PCI DSS 3.0 Primer
PCI DSS 3.0 traces its genesis to late 2013, when the standards were first published and then took effect in January of 2014. Among the standards first issued, several were tagged with the designation as “best practices,” and beginning this summer — 2015 — those best practices have now become requirements for merchants and providers across the payments landscape.
“Each of these new requirements is important to ensuring a more secure environment for handling payment card data,” notes Majka. “However, it’s just as important to realize that PCI DSS itself is merely one very important aspect of a multi-layered approach [to security]."
First, players in the payments arena should be aware of, and embrace, what may be viewed as among the more pressing mandates. Included in that group, maintains Majka, are the following:
- Section 6.5.10, which requires implementation of software development policies and procedures to verify that broken authentication and session management are addressed with appropriate coding techniques.
- Section 8.5.1, mandating that service providers with remote access to customer premises must “use and verify” that different authentication credentials are used for each and every customer.
- Section 9.9, stipulating corporate policies ensure protection of card-reading devices that capture payment card data used in card-present transactions.
- Section 11.3, tied to “penetration testing” from both inside and outside the network and validation of any segmentation and scope-reduction controls.
Finally, Majka says that Section 12.9 – stating that service providers are required to acknowledge in writing to customers that they will adhere to all applicable PCI DSS standards, helps ensure communication between companies and consumers about payment security.
Shouldering The Burden
Majka acknowledges the PCI standards place at least some new burden on companies, which may be grappling with other technological issues at the same time. “The fact that these new requirements take effect in such close proximity to the EMV liability shift in October is an unfortunate addition [to challenges facing merchants]," the executive notes, while going on to say that such actions “[reflect] the growing complexity of payment security and the need to ensure an organization has an ongoing effort to review its state of compliance.”
But is the body of directives in the security standard enough? Majka thinks there’s more work to be done. Malware is on the rise, and threats to merchants are, too – especially as cybercrime looks toward POS software solutions. “It seems clear, based on the most recent series of POS breaches, that cybercriminals are increasingly turning their attention to small and mid-tier merchants,” says Majka.
That may reflect a shift by criminals in the wake of bolstered defenses from large retailers with dedicated IT and security operations, he surmises. Of course, that puts smaller players at greater risk. “No one can afford to take the risk that the bad guys will overlook their operations,” Majka warns, “nor should they mistakenly assume that EMV adoption will solve the growing data breach problem.”
EMV Is Not Enough
EMV does indeed have its strengths, says Majka, chief among them the fact that it helps solve the security challenge of a counterfeit card. With the added protection of an EMV setting, that’s a “major step forward particularly when magnetic stripe cards begin to be phased out.”
Yet, as Majka cautioned in an interview earlier this year with PYMNTS, EMV is no panacea for safeguarding payments. As he noted in April, “EMV would not and could not have prevented the compromise of millions of card payment accounts due to data breaches at major retailers in recent years.”
And right now there are other pressing concerns within the payments industry. The “easiest and most lucrative” way for cybercrooks to make off with sensitive data comes through the network itself, says Majka, which in turn means that there are additional measures needed. Among measures needed in tandem with EMV are encryption and tokenization.