Thales Blog

Countdown To PCI 3.0

July 2, 2013

PCI SecurityIn the run-up to Infosec, I blogged about the plethora of regulations affecting companies in the EU and gave an indication of what’s coming up next. With less than six months to go until the release of PCI 3.0, I thought now would be a good time to look at what might be included.

 The PCI Security Standards Council is set to release the latest version of the standard in October and, if you handle payment card data in anyway, it’s going to have implications for your business.  

It’s difficult to be sure exactly what the new release will include but, given some recent announcements and publications from the Council, we can expect it to address developments in both new technologies and the cybercrime tactics that have sprung up to exploit them. The last official release of the standard (PCI DSS 2.0) was almost three years ago (August 2010), and a lot has changed since then. 

One of the major changes has been the increased uptake in cloud computing, something we hear about every day when talking to our customers and prospects. The PCI Council clearly understands that organisations taking payments want to be able to take advantage of the economies of scale and efficiency improvements that cloud models can offer, but also recognises that there are certain risks to this way of working. 

Last February, the Cloud Special Interest Group of the PCI Security Standards Council released PCI DSS Cloud Computing Guidelines, to give organisations guidance on how to remain compliant in cloud environments.  From a data security standpoint, it’s pretty interesting that the Council is clear that there are data-sovereignty issues involved, after all – how do you know where in the world your data actually is if it’s up in the cloud? 

Often you don’t, but one way to tackle this is by implementing key management policies so that data can only be decrypted and accessed in certain regions. If you want to read more about this, check out section 6.4.5 (page 26), where the guidelines specifically call out encryption and key management best practices. 

The PCI Council subsequently announced the keynote speakers for its annual community meetings, which take place around the time the new release is set to land. You’ll see that speaker presentations are particularly focused on cybercrime and understanding data breach prevention, hinting to what we can expect in the new release. Cybercriminals rely on seeking out and exploiting previously unknown vulnerabilities in networks, and we’ve unfortunately arrived at a point in time where, especially since the capabilities of recent Advanced Persistent Threats have come to light, it’s a case of many companies asking not if, but when, their perimeter will be breached. 

Of course, the network is one of many layers that you can and should reinforce in order to give yourself as many chances as possible to thwart attacks, but assuming the bad guys are already on the inside (which they probably are), you’ll find yourself looking at layers of security much closer to your valuable data. 

Time will tell what exact requirements the new release of the standard might require you to adhere to, but you only have to look at changes in business practices and new threats to data security to get an idea of what’s needed. 

I’d like to leave you with one thought: even if you are absolutely compliant, it doesn’t mean you are absolutely secure. History has shown us that PCI-compliant organisations can still be breached.  Yes, as a business you absolutely have to comply with various legislation and standards like PCI DSS, but remember that by their nature these rules and regulations are fairly static, while the attack environment is dynamic and constantly evolving.  My advice is to take a proactive approach to security and make sure you strive to implement best-practice security measures across the board.