Retailers must upgrade authentication, encryption and pen testing

The PCI Security Standards Council now requires better authentication, encryption and penetration testing by companies that accept consumer payments, improvements lauded by security experts.

“There are a lot of people who consider compliance to be policy for policy sake,” said Ryan O’Leary, vice president of the threat research center at WhiteHat Security. “But with these three recommendations, it is really security-industry standards that are finally being forced upon companies. I would say, absolutely, it will move the bar forward as far as security goes.”

Administrators with access to card data must now have two-factor authentication when they log in, either locally or remotely.

Previously this requirement applied only to remote access from untrusted networks.

“A password alone should not be enough to verify the administrator’s identity and grant access to sensitive information,” said PCI Security Standards Council Chief Technology Officer Troy Leach in a statement.

“We totally think that this makes sense,” said Chase Cunningham, director of cyber threat research at Armor Defense. “Everyone here has multi-factor on every system, all all times, PCI or not.”

But from his experience, it’s rare to see companies currently using two-factor authentication on all vulnerable systems, he added.

[ ALSO ON CSO: How to ensure PCI DSS compliance when dealing with message queues ]

“The use of two-factor authentication for access into financially significant environments is something we’ve been advocating for almost 10 years,” added John Bambenek, threat systems manager at Fidelis Cybersecurity. “The tools that can do this are reasonably priced, and this will force the issue of actually implementing it.”

Active penetration testing

Previously, passive vulnerability scans were sufficient to comply with the PCI requirements. Under the new rules, however, active penetration tests will be mandatory.

“Requiring actual penetration tests, versus scanning, is a great leap forward,” said Bambenek. “Static vulnerability scanners can miss a great deal, and the move to penetration tests shifts the focus from retrospective testing to what an attacker can actually do.”

There have been a number of security vulnerabilties associated with SSL — secure socket layer encryption — over the past few years, said WhiteHat’s O’Leary.

Some browsers and servers are still using old, outdated versions of these standards.

“You need to get rid of those old versions, and not allow any downgrade attacks,” said O’Leary. “Just get rid of them altogether.”

In addition, while upgrading from SSL to TLS, he recommended jumping directly to the latest, most secure version, instead of the minimum TLS 1.1 required by the PCI. Currently, the latest version is TLS 1.3.

Companies have until February 2018 to comply with the authentication and penetration testing requirements, and until July 2018 for the TLS migration.

Needs to go further

The only complaint security experts had with the new guidelines was that they didn’t always go far enough.

Stolen credentials are a factor in 63 percent of all confirmed data breaches, according to the latest Verizon report.

“Basic two-factor authentication would mitigate an entire swathe of these breaches,” said Bryan Sartin, executive director, global security services at Verizon.

“The new PCI standards fall far short of actually improving the security of cardholder data,” said Brian NeSmith, CEO at Arctic Wolf Networks.

As with many compliance requirements, the process of creating new standards is lengthy and they wind up lagging behind what the criminals are doing.

“What the industry really needs is to improve its threat detection and response capabilities in order to catch the bad guys before the damage is done,” NeSmith said.

Fidelis’ Bambenek added that there are other threat vectors that are also not adressed with the new compliance requirements.

“It would be hard, for instance, to see how the prevalence of POS malware will be affected by these changes,” he said. “Consumer data will still not be safe.”