Pitt's comments are taken from a transcript of an Xtalks web presentation, to access the full archive click here.
Seana Pitt, Chairperson of the PCI Security Standards Council and VP of Merchant Policy and Data Quality, American Express, Global Network Operations.
Payment Card Industry (PCI) data security standards (DSS) are designed to ensure all entities that accept credit or debit card payment, or collect, process or store credit card transaction information are protecting account payment data. The five major payment brands can levy fines on acquires whose merchants make no progress on complying with the standards. But the standard is complex, it has 12 rules and 200 detailed sub-requirements. Here, Seanna Pitt, Chairperson of the PCI Security Standard Council, describes the Council's role in driving compliance with the standard and shares some insight on securing account payment data.
What is the PCI Security Standards Council?
“The PCI Security Standards Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. It's designed to engage with the stakeholders and ensure everybody understands the importance of securing account payment data within their businesses, and having feedback mechanisms to bring back security enhancement and implementation challenges to us and be able to drive a more comprehensive security strategy within the marketplace.
It's a milestone in the payment processing industry because for the first time all five major payment brands—American Express, Mastercard, Discover, JCB, Visa—have come together to drive a global unified initiative. The need to drive consumer awareness and comfort in the payments industry and ensure data is being protected effectively was one of the key drivers that encouraged the payment brands to come together.
The Council is designed to ensure all stakeholders that will adopt and complement the data security standards have a comprehensive and effective way of implementing these in their businesses.”
What are the PCI Security Standard Council's Objectives?
“To enhance account payment security. We have evolved our data security standards as we feel appropriate to enhance security. Some of the things being considered are a payment entry device standard, a payment application standard and any place where we see a need to increase security around how payment data is secured within merchants, processors, or point of sales vendors. We will continue to drive that forward.
To maintain a roster of QSAs and ASVs. One of the key things the council does is ensure a robust and geographically diverse set of qualified security assessors. These are the auditors that go out and audit how well a business implements a PCI standard in the marketplace and also the approved vendors. Its critical that we have a list of trusted QSAs and ASVs in all areas of the globe that stakeholders can reach out to help implement the standards within their businesses and then vet the effectiveness and how well there doing implementing the standard in their business.
Adoption and awareness are critical to our message and objectives. We believe adoption and compliance begins with everyone understanding what needs to be done. So educational programmes, awareness building activities are critical to our mission. We are trying to drive to the PCI security standards council being a centre of excellence for any stakeholder to come to get educated on what the PCI security standards are all about, how to implement them and also be an area for Q&A.
What we found is when each of the individual payment brands tried to drive adoption within their own organisation that their participation and ability to gather feedback from stakeholders was critical. So it is very important for us to hear from the marketplace what is working in how to implement this standard, what security standards they are driving to and actually hear a complete feedback loop as to how we should evolve the standard going forward. I often think of the standard now in terms of a very traditional product lifecycle, we have a standard that was issued, we want to have customers adopt that standard and then if we are good product developers what we need is a checkpoint to hear about what we need to do to increase the effectiveness of security on that standard, as well as implementation challenges that businesses may be encountering. Two weeks ago we hosted a roundtable around the standard, 83% of the attendees said it was critical to have feedback.
The PCI DSS is our first standard. We will continue to look at what additional standards the industry should have comprehensively across the globe and across all different payment brands. So the council has set itself up, so that although we begin with the DSS standard, its quite possible and very realistic that we will add additional stakeholders as we evolve our mission in the marketplace.”
What are the benefits of participation with the Council?
“Participating organizations will be able to attend community meetings where we have dialogue on what's going well, what needs to change, and how we drive things forward. organizations will have a preview of what different businesses and what the council is thinking about in terms of updates to the standard. And they will have an opportunity to provide comments on the draft of the standard.”
What is the PCI DSS Version 1.1?
“There were a number of things we wanted to accomplish when we updated the version. We addressed three key things. Our clarity and consistency, so now the five brands recognise the DSS standard as the roadmap for how anyone writing their network needs to secure their data. We went through the standard to ensure consistency across all the payment brands on use of terminology and cleaned up where we had ambiguity of language. Flexibility for business or technology constraints—in key feedback from the marketplace we had often heard in certain situations it may be a technology or business challenge to be able to meet requirements within the standard—means we are introducing a methodology such as compensating controls where a business entity if they can't meet the letter of the requirement then they can show us why that's a challenge to their business and how they would protect the data within the requirement and then we would recognise a compensating control formally. The last thing we looked at was what are the emerging threats we saw in the marketplace.”
What revisions did you make?
“Only one technical change which was creating the new application requirement. This is a technical introduction to the standard what we did is introduce it as a best practice with a future implementation date of June 2008 attached to it. We don't want to issue standards that not every stakeholder can be in compliance with and that we need to give the marketplace the ability to adopt as we change requirements. We also looked at cleaning up clarification and definitions between what is card holder data versus sensitive authentication data, and what is truly acceptable to store and what is forbidden to store. The compensating controls is also giving businesses the flexibility of showing different ways that they can fulfil on the spirit of the DSS standard.”
What are the PCI DSS requirements?
“They are a comprehensive roadmap for securing data. So its how you think about your network, how you store data, your vulnerability management program, your access control, how you monitor and test your network as well as maintaining an information security policy. So the standard itself covers everything from, who has access to your data to physical security of where your data is stored, to technical nuts and bolts about how you encrypt transactions within your environment.”
What is the new application level requirement?
“This was our attempt to raise the standard to address new and emerging security threats. So we continue to see increasing compromises around things like SQL injection, cross-site scripting and other application level attacks. Often hackers get through the network level and take advantage of vulnerabilities at the application level. So we are introducing new requirements to start to think more about how we secure the application level and not just rely on the network security as our defence mechanisms. So we have introduced things like secure coding of web applications and we are really looking to ensure that we spend more time thinking about vetting the application level.”
When is version 1.1 effective?
“It became effective in the marketplace when we launched on September 7, 2006. Many of these technical requirements have built in lead time and its our expectation that anyone performing a new certification in 2007 will be recertifying to the 1.1 version of the standard.”
Any future enhancements?
“Some of the things we have on our agenda is revising our self assessment questionnaire. One of the challenges of being the authority on the PCI standard itself is we need to have the right approach that can be applied to both large and small businesses. So the self assessment questionnaire starts to address mid to small businesses and how they think about applying the standards within their businesses. We are continuing to update our FAQs so that we have a consistent way of any business asking a question about how to define a requirement and have that accepted by all the major payment brands that are supporting the PCI DSS within their businesses. And also ensure that we are getting feedback from our customers on how well the QSAs and ASVs are doing in their businesses. So we have said that the QSAs and ASVs will need to be able to provide customer surveys that come into the council so we develop a good quality assurance program.”