PCI DSS 3.0 is an evolution, not a revolution

The primary goal of the Payment Card Industry Data Security Standard (PCI DSS) is to protect the confidential user information on credit cards.

[CSO’s guide to the Target data breach]

So, an obvious question, given the news of the past several weeks, is whether the massive breach of retailer Target could have been avoided, or at least discovered in fewer than 19 days (the breach reportedly lasted from Nov. 27-Dec. 15), if the company had been in compliance with the latest update of the standard, known as PCI DSS 3.0, which took effect Jan. 1, but will not require full compliance until the beginning of 2015.

Not likely, according to several experts, even though Requirement 9.9 of the standard calls for organizations to physically secure their Point of Sale (PoS) terminals. Requirement 5 could also apply; it calls for organizations to protect all their systems against malware.

As Target CEO Gregg Steinhafel acknowledged in his recent “apology tour” of the major television networks, the company’s PoS systems had been infected with malware.

Still, experts said the new standards would probably not change the outcome, and at this point, with the investigation incomplete, it is impossible to say for sure. The mantra in the security industry remains: “There is no such thing as 100% security.”

“Requirement 5 already existed in version 2.0 and very little changed in 3.0,” said Chris Camejo, director of assessment services at NTT Com Security, noting that it is easy for attackers with programming capabilities to write custom viruses that will not be detected by anti-virus — so-called “zero-day attacks.”

“Those targeted by custom malware would have to rely more on their ability to detect and respond to the attack itself via network monitoring than on the ability of anti-virus or IPS to block as-yet unknown custom attack code,” he said.

Camejo and others also said Requirement 9.9 would not have helped, since it did not appear that there was physical tampering with Target’s PoS devices. “Malware can be spread across the network without physically interacting with the PoS, and given the scale of the breach at Target I suspect that this attack was conducted mostly or entirely over a network,” he said.

[Collisions likely over PCI 3.0]

Julie Conroy, an analyst at Aite Group, agreed that compliance with PCI DSS 3.0 probably would not have helped. “Protecting systems against malware is already something most retailers, particularly the large ones, are trying to do,” she said. “Given the breadth of systems impacted, the attack on Target appears to have been quite sophisticated.”

Dr. Anton Chuvakin, research director, security and risk management at Gartner for Technical Professionals, said it is impossible to tell. “Anybody who claims that, ‘if only they bought our stuff, or complied with our stuff, the breach would not have happened,’ is likely not being 100% honest,” he said.

[Passing PCI firewall audits: Top 5 checks for ongoing success]

“Specifically, we don’t know whether they had anti-virus on the PoS devices and we don’t know, but doubt, that the attackers needed physical access.”

Camejo said the only provision of the updated standard that might have been helpful is Requirement 6.5, which calls for application developers to consider how card data is handled in memory.

“This isn’t so much something that Target could have done — it would have to be done by the PoS vendor,” he said. “Although Target seems to be getting most of the flak, I would be more apt to blame the PoS vendor for developing a platform that doesn’t handle the cardholder data securely in memory and doesn’t have enough internal checks to prevent tampering.”

In other words, PCI DSS 3.0 will not make the industry bullet proof. But there is general agreement among experts that compliance with it will improve security to the industry, even though it is more an “evolution” than “revolution.”

Indeed, of the 98 items listed in a summary of PCI DSS 3.0, 74 of them are described as “clarification,” while only 19 are “evolving requirements” and five are “additional guidance.”

One of the most significant elements of the standard, however, is the theme of making compliance a daily event, or business as usual (BAU), instead of an annual “check-the-box” scramble to comply with an audit.

“The PCI SSC (Security Standards Council) wants to encourage organizations to move into a proactive state, where they have better control over their in-scope assets,” said Christopher Strand, compliance consultant at Bit9.

“Compliance in the past had a tendency to be reactive since it was normally done in order to meet the annual or point-in-time obligation or review. Now, the only way to remain compliant under the new version of the standard is to ensure your security stack can give you full visibility of the environment, with the ability to proactively audit the endpoints and network in real time for deviations.”

[JPMorgan to notify 500,000 due to data breach, but will not offer replacement cards]

“The guidelines won’t be everything to everyone,” said Alphonse Pascual, senior analyst at Javelin Strategy & Research. “There is no perfect security, and when it comes to bureaucracy you take what you can get.”

Chuvakin added that the update includes, “plenty of new focus not just on policies and not just on buying tools, but on developing actual operational processes and practices, to make it truly BAU.”

This, said Conroy, should not require a major spike in spending, or raise the costs of a company’s products and services. “The elements of PCI 3.0 that are designed to make compliance more of an every-day business practice are largely procedural — many do not require big IT investments,” she said, adding that the CISO of a large health insurer told her the updated standard would be, “pretty much a non-event for his organization, because it was already doing most of what was required.”

And Camejo is just one of many who point out that the cost of compliance is far less than the potential cost of fines for noncompliance, which can be tens of thousands of dollars per month, or the cost of a major breach, which easily run into the hundreds of millions, as in the cases of TJX ($256 million), Sony ($171 million), and Heartland Payment Systems ($140 million).

[Major attacks on retailers cast spotlight on higher security cards]

“Current estimates of the cost of a breach run between $200 and $300 per compromised card,” he said, which would mean Target would be looking at as much as $8 billion on the low end.

Among the other more significant new or revised requirements are:

Physical security of PoS terminals

“This is a big one,” Chuvakin said, but added that “additional environment security guidance is much needed as well.”

Camejo agreed it is important, but said it “falls into the category of things they should have been doing already anyway.”

A network diagram that shows what is connected to cardholder data and its flow through the system

Camejo said what looks like a subtle change here is really quite significant, since it expands the scope of what is covered by the standards. “Previously, it included anything that stores, processes, or transmits cardholder data. Version 3.0 adds that anything that is connected to or can affect the security of the cardholder data is also in-scope,” he said.

“The organizations that have been cutting corners – either willfully or out of ignorance – will have a much tougher time.”

And Chuvakin said that even if it is difficult for some merchants, “it really does open your eyes about where the card data moves, how and when.”

Pen testing, which includes verification that segmentation is working effectively

Chuvakin said this should improve security, since “since a lot of shoddy pen testing was sold that was essentially a guy with a vulnerability scanner.”

Camejo said he views the requirement for validation of segmentation as, “a huge thing. Organizations often get segmentation wrong and this will help make sure they’re doing it correctly,” he said.

Strengthening password policies, tokens and certificates

“I think this is one of the most valuable requirements,” Conroy said. “Poor passwords are responsible for the bulk of the data breaches that are taking place right now. This is an easy, low-cost way to eliminate a lot of the current vulnerabilities.”

[Rising impact of Target breach indicates deeper hack into systems]

The update doesn’t cover everything. Bit9’s Strand said other areas he would like to have seen addressed include encryption key management and classification to ensure and monitor remote, secure and administrative access; greater scrutiny of access management to protect against insider threats as well as malicious external attacks; and better endpoint protection of assets like PoS devices.

But Pascual said that overall he sees real value in the update. “We have seen significant breaches in the past year that could have been avoided with the changes,” he said. “Each change is relevant to the threat environment that businesses face.”

There has also been considerable discussion in the wake of the breach at Target and other retailers like Neiman Marcus on why the U.S. has not moved to EMV (Europay, MasterCard and Visa) technology, which uses a computer chip and requires a PIN, rather than the magnetic stripe, and is considered more secure.

Expert views are mixed on this. Conroy said a change like that is not the role of the PCI standard. “The card networks are working on this separately, and trying to tackle it as part of the DSS would muddy the waters too much,” she said.

Chuvakin called it “a nonstarter,” and said it is not necessarily a sensible goal for the modern era since, “it does nothing to help ecommerce card fraud and theft.”

And Camejo said U.S. consumers should be careful what they wish for, since EMV puts more of the liability burden on the consumer than on the bank or merchant. “For any transaction completed with EMV, consumers are liable for fraud losses unless they can prove that they are not responsible for a transaction,” he said.

He also said there are vulnerabilities in the PIN system, and that it would be enormously expensive to shift to EMV in the U.S.

But then, Strand said the shift to EMV technology is already under way, “slow but sure.”

Finally, experts stress that an update is not meant to imply that PCI DSS 3.0 addresses all current threats.

“I don’t think that we can ever say that any of it is ‘up to date’ with the threats, because of how fast the threat environment is moving,” Conroy said. “PCI 3.0 establishes some important fundamental practices that businesses should be implementing, but it should never be viewed as a panacea.”

Chuvakin agreed. “The standard defines a base level of security rather than the level that is the absolute maximum. Think security floor, not ceiling,” he said.

[Inside knowledge likely in Target breach, experts say]

But he contends that compliance has real value, even if it can’t keep up with an evolving, sophisticated threat landscape. “I am waiting for that one breach that affected a company that really did take PCI DSS to heart and did everything well,” he said. “It just doesn’t happen.

“A lot of people are outraged over the ‘no PCI-compliant company has ever been breached’ line that some on the SSC mentioned a few years ago, but I happen to actually believe that.”