Payment Card Industry Data Security Standards Update to Reflect Trends in Data Breaches

The payment card industry is engaged in a never-ending battle to protect customers’ information. The stakes are high: general-purpose cards are a 5 trillion dollar market, according to Nilson Report. The drive to security is why the industry has introduced the EMV chip cards.

In one survey, Ponemon reported that more than half of executives believe that EMV chip technology will reduce the risk of data breaches. At the same time, the same survey showed that 64 percent of executives think securing payment card information is more difficult than securing other kinds of personally identifying information.

One reason for these results is the fact that EMV has not been fully adopted across all merchants; another is that, like any new technology, EMV may have vulnerabilities that haven’t yet been identified; and a third reason is that, due to the increased protection EMV provides, hackers may develop other kinds of attacks on other data sources where EMV is not in place.

As a result, the payment card industry continually develops new standards to strengthen data protection. One of the main standards, PCI DSS (Payment Card Industry Data Security Standards), recently published a new version 3.2 that addresses the more sophisticated hacking attempts. In one Verizon study of data breaches, none of the companies that were victimized were fully compliant at the time.

PCI DSS Requirements

PCI DSS applies globally to every vendor that accepts payment cards and provides comprehensive requirements for data security. PCI DSS requires the merchant to implement the following 12 practices:

1. protect cardholder information by a firewall
2. change all system default passwords
3. protect data in storage
4. encrypt data when transmitted across public networks
5. use anti-virus software to protect against mailware
6. apply patches to maintain secure systems
7. limit authorized access to cardholder data
8. use authentication when accessing payment systems
9. restrict physical security to systems containing cardholder information
10. log and monitor all access to networks and data
11. test security procedures
12. document the information security policy

While it’s difficult for companies to implement these controls and maintain compliance, Verizon’s study showed that these controls are effective in reducing the risk of breaches.

Impact of PCI DSS 3.2

The new version of PCI DSS emphasizes focusing on people, process, and policy. Key changes include:

• Require multi-factor authentication in more situations. The previous standard required multi-factor authentication (that is, not relying solely on a password) only when remotely connecting from untrusted networks. The new rules require multi-factor authentication for all administrator access. By requiring MFA even when data is accessed on a secure, internal network, the risk of inside threats is reduced.

• Use modern security protocols. Much data is transmitted using SSL and early TLS protocols, which are no longer adequate as there are known vulnerabilities and exploits.

The new standards will be enforced in 2018; prior to that date, risk mitigation plans are required to manage the risks.

• Additional testing and documentation. Third parties involved in the payment process, called service providers, must provide additional documentation of their architecture, policies, and procedures. They must also conduct penetration testing regularly and report any failures of their control systems.

There’s no guarantee, of course, that these measures will prevent a breach. The number of attacks is immense. Symantec reports it found 430 million new types of malware in 2015. Not all the attacks target the payment card industry, of course, but given the size of the industry, many do. As a result, payment card security measures like EMV chips and the PCI DSS security standards will continue to evolve to match the ongoing threats.