PCI DSS 3.0 Still Isn’t Enough

Featured article by Ed Fox, Vice President of Network Services at MetTel

Following the data breaches of 2014 (think Home Depot, Target and Sony Entertainment Pictures), it’s clear that security should be top of mind for both businesses and consumers in 2015.

Despite millions of accounts and identities being hacked, one thing consumers didn’t cut back on was credit card use. Ahead of Cyber Monday in 2014, retailers and manufacturers alike expressed concern around online purchases following the breaches. However, it was a pleasant surprise for all to see that total sales for the day went up 8.7% over 2013, according to the IBM Digital Analytics Benchmark. When it came to mobile transactions, one in five was a mobile sale, increasing by 29.3% over 2013.

For businesses, these numbers were motivating to see, showing that customers hadn’t lost complete trust in merchants and were still willing to rank plastic over cash. However, should another data breach occur, there’s no guarantee that consumers will continue to trust the purchasing methods in place today. Even more importantly, the costs associated to responding to and remediating a publicized breach are bottom line financially affecting to retailers.

Luckily, for businesses, there are steps merchants can take to keep their customers (and their personal information) safe – become PCI compliant.

What is PCI Compliance?

Created in 2004 by Visa in an effort to protect cardholder’s information, PCI DSS provided merchants and organizations in the payment-processing lifecycle with a set of mandatory requirements to follow. Over the next ten years, the standards have been updated and revised to keep up with changes in the industry. Now in the third iteration, PCI DSS 3.0 is the newest update, but vendors are still running into issues with reaching and maintaining compliance.

The twelve broad requirements for compliance, split into six groups called “control objectives,” remain consistent throughout each update. However, new sub-divisions are added with each updated version to enhance the protection the compliance provides.

While some requirements are easier than other to comply to, a recent Verizon 2014 PCI Compliance Reportshowed that only 11% of the merchants maintained full compliance between annual audits. This leads to the question – is PCI compliance enough?

It’s Just Not Enough

The short answer is no, but it’s much more complicated than that.

Merchants need to keep their customers’ information at the top of the list of data and data communications to secure by taking steps beyond those outlined in PCI DSS 3.0. For example, a unified SIEM (Security Information and Event Management) platform that is ubiquitously collecting real time information from all digital communications devices while also being monitored and analyzed in real and post time is a great start. Collecting information from network devices, POS devices, servers, PCs and cash registers in one consolidated place with analytical processing is necessary for a global view. This, along with a subtle shift in the thinking from “let’s stop the untrusted access to our devices” to “let’s stop any internally compromised device from communicating back out to the perpetrator,” can also have a great impact on the success of a security plan.

More often than not, breaches are born from an innocent end user being phished or tricked into providing the “bad guys” access into the trusted network. Diligent training of end users and a security plan that assumes breaches exist is the new paradigm. Building upon the SIEM recommendation, PCI requirements should include, at a minimum, the ability to actively search live data for 12 months. This allows today’s new and improved SIEMs to better predict anomalies across the entire Cardholder Data Environment (CDE), along with Security Analysts monitoring collected data in real-time. SIEM platforms have historically been a black hole, absorbing massive corporate IT budgets, but the new platforms gathering data from all CDE and end users with access to the CDE, coupled with real time eyes on glass, allow security experts to make the solution a perfect fit to the PCI DSS dilemma we are facing today.

The Customer Comes First

When it comes to securing the information of your customers, there are no shortcuts or excuses. Look to PCI DSS 3.0 as a starting point to provide the security your customers need, and then go the extra steps to provide them with NSA like analytics and top-notch care. Digital security can’t be siloed anymore.

Ed Fox, vice president of Network Services

Ed Fox is responsible for the planning, deployment and operation of MetTel’s broadband, data and VoIP network infrastructure. He has over 20 years of telecommunications and network experience giving him strong insights into future industry developments and innovations.