A Q&A with Gregory Rosenberg of Trustwave
Payment Card Industry Data Security Standards are now in their third version. I talked to Gregory Rosenberg, Sales Engineer at Trustwave, about what organizations need to know about the most recent changes to the standards, particularly as they relate to third party service providers.

Can you give us a summary of PCI DSS 3.0 additions?
The update as a whole is not earth shattering, but here are the changes that concern us most:

• E-commerce merchants re-directing payment collection to third parties. E-commerce merchants who have enlisted third party service providers to collect payment card data on their behalf used to be able to exclude their web environment from the scope of PCI DSS. The main premise behind this being that their systems did not store, process or transmit cardholder data. The new version of the standard will pull many of these environments into scope, even if they never handle their customer’s cardholder data! Many companies are using redirection as a way to minimize the cost of compliance. The landscape has changed drastically over the past few years, where bad actor are increasingly intercepting this re-direction or eavesdropping a seemingly encrypted channel carrying payment card data In fact, these types of attacks involving third parties have accounted for half of the uptick in overall forensic investigations. Now that these environments are covered by the PCI DSS, e-commerce merchants will be required to implement security controls that may not have been in place before.
• Changes around service providers. “Service providers” might include anything from a payment gateway or a call center to a third party managing a firewall. All service providers are required to clearly articulate which PCI DSS controls they are now responsible for and which remain the responsibility of the merchant.
• Authentication. Service providers have to make sure they are using different and unique passwords for each of their customers as well as two-factor identification when remotely connecting to their customer’s cardholder data environments.
• Penetration testing. Merchants and service providers must now procure an independently conducted penetration test, based on industry-accepted methodology that will assure security of networks, applications and data.

 

if you outsource you will still be held liable for any security lapses within the third party’s system

Can a retailer fully outsource their PCI obligations to a TPSP (third party security providers)?
A large portion of attacks are associated with third parties. In many ways the security industry has seized on PCI as a moneymaker, hoping to provide relief to merchants struggling to manage their technical obligations. These merchants know they need to do something or they will face fines or fees but they need the savvy of a professional to help them. At the same time, third parties are making everything more complicated—if you outsource you will still be held liable for any security lapses within the third party’s system. So while retailers can rely on TPSPs, they still need to be careful about who they’re engaging with and they must stay focused on service provider requirements.

How can a retailer reasonably conduct due diligence on their TPSPs?
In many cases it’s a matter of engaging other vendors, conducting background checks, and gathering references. You could speak with the acquiring bank as well to see if they have any recommendations. TPSPs may be audited for compliance and data security by a third party in certain scenarios. If your TPSP is not independently audited then your due diligence is largely taking the word of the third party.

What are some of the key PCI weaknesses you are seeing?
We all know that compliance doesn’t equal security. The PCI DSS have done a great job of updating their standards to changing technology, but there will always be gaps. For example, the password requirements say that you need to have an 8-character password but if you look at a company like Amazon, you’ll see they have a 7-character password. You can’t just rely on compliance as a silver bullet because every environment presents its own risks. Compliance needs to be addressed but we also need to be cognizant of our own specific security issues as we go forward.

In Summary…
Thanks to Greg Rosenberg for a thoughtful explanation of PCI 3.0 updates and especially for addressing the issues around the third-party payment processing trend. Outsourcing does not necessarily absolve the retailer of PCI compliance duty (nor does it negate legal liability in the eyes of a data breach victim and his plaintiff lawyer). Interestingly, PCI 3.0 is trying to address the still-problematic security weaknesses pertaining to passwords for credit card processors (i.e., now service providers have to make sure they are using different and unique passwords for each of their customers as well as two-factor authentication). Note this strengthening of password access controls was also a central theme in our recent interview discussion with Karl Sigler of Trustwave about Point-of-Sale (POS) terminal malware threats.