Software and the acceleration of payment security

As the way payments are accepted continues to change, the PCI Security Standards Council CTO discusses how the Council is supporting these advancements in payments with security standards to protect payment data.

1 transform phone payment

As business leaders, we’re taught to expect technology to expand capabilities while reducing cost over time as provided by the oft-quoted Moore’s Law. And it is broadly accepted that technology will continue to accelerate.

However, with recent technical advancements – from global problem solving and information sharing with cloud capabilities, to distributed application design for smart technology and artificial intelligence designing the next generation of software – we are now faced with evolutionary changes that are far bigger and happening faster than the original purpose of Gordon Moore’s observation.

The same progress can be seen in recent advancements for both payments and information security, especially as it relates to the integrity of software to safely and securely facilitate payments.

That is why this year at the PCI Security Standards Council (PCI SSC), much of our focus is on how to leverage advancements in software security and keep pace with this evolution in payments.

To take advantage of these improvements, we need to be aware of the attention required for good software design and lifecycle management. Today, the budget for application security is less than 20% on average for organizations, yet our reliance on software security is growing significantly.

In payments, we continue to look for better controls to be more active and reactive that offer depth of defense as well as a balanced approach to security for business. 

Software-based PIN-entry

This is especially important for securing payment data with software as the number of new merchants grows daily and the way payments are accepted and processed continues to change. Currently, the PCI SSC is developing a new standard that considers new ways to process payments in mobile devices and environments.

Central to the challenge of mobile payment acceptance on MPOS are devices that are not designed with payments as the primary purpose or function. In earlier PCI Standards, we focused on developing requirements to encrypt account information before it enters consumer-grade mobile phones or tablets, and other ways to demonstrate good security for devices accepting PIN in a mobile-type environment.  In that way, the risk of the mobile device does not impact the integrity of the transaction.

As technology continues to advance and the value of static data diminishes, we are now designing controls that consider managing PIN entry via software (rather than encrypted key strokes via a pin pad) directly onto these commercial off-the-shelf (COTS) devices. 

This new software-based PIN entry standard will provide a structured and secure payment acceptance approach for software-based direct PIN entry on MPOS, where it does not currently exist.

A key security objective will be to isolate the PIN at all times from the account number so there cannot be any attempt at correlation attacks.  Correlation attacks occur when data from two or more sources are combined to have enough information to commit fraud. Criminals are using big data to steal credentials, and any new approach needs to develop standards to minimize that threat. How we create that isolation is through mechanisms such as encryption to prevent those two data elements from ever being present in the same environment.

Additionally, software security best practices for the payment application and extensive monitoring will be important principles in the new standard to mitigate against potential threats to the payment environment within the phone or tablet.

As part of the standards development process, we are working with PCI-recognized security evaluators, and other industry stakeholders to get their feedback on the draft standard and ensure that we are providing not only the right type of security controls but also testing procedures that are realistic to demonstrate. We are also looking at the potential for a supporting program that will provide a validated listing of these solutions for merchants on the PCI SSC website.

Secure software design and development

Software security is increasingly important not only for mobile applications but also for other types of traditional payment technology that is introducing more ways to connect and use account information in software programs.

Consumers and merchants alike need assurance that the software processing cardholder information is going to be secure with a high level of integrity.  And, that security is part of the design and delivery of each instance of code distributed to businesses.

Today’s software development environment, however, pushes changes at a rate that cannot be quickly validated by independent sources.  So how do we establish that trust? 

At the core is good software design and thorough lifecycle responsibilities for ongoing maintenance against new threats as they are discovered.  This begins with confirming application developers are aware of trends in cybercriminal activity against payment data and trained in the best practices to minimize risk in the design of future code.

It also requires CISOs to manage their third-party relationships to have adequate oversight and/or agreements that the vendor will continue to monitor for future threats as well. 

The PCI SSC is currently working on standards to address secure design and development of payment software. The intent is to address the pace of change in modern software development and promote software lifecycle awareness while maintaining integrity and transparency of payment security within the code design.  We will be asking the industry to review and provide feedback on these draft standards in the coming weeks – this is a great opportunity for organizations involved in software development to share their input. As these standards are developed, I’ll be writing more on this topic in future blog posts.

We will also discuss these initiatives with PCI stakeholders at the upcoming Europe PCI Community Meeting in Barcelona. As the way payments are accepted continues to change, the PCI SSC is constantly looking at how we can support these advancements in payments with security standards to protect payment data.  

Copyright © 2017 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022