Come together, right now, over...security

While it is virtually impossible to thwart all attacks, the payments industry community is proactively coming together to develop security tools on a global level, says VeriFone's Dave Faoro.
Written by Dave Faoro VeriFone, Contributor
Commentary - Data breaches make major headlines. There’s no two ways about it. The more mundane business of keeping those headlines to a minimum, with the day-to-day efforts of the industry to keep customer’s payment data safe, is not the stuff of front page news. For those efforts to be successful, a cross section of industries must collaborate and share their latest ideas and experience of what’s going on in the front lines of payment card data protection. The key word here is collaboration.

To prevent an epidemic of credit and debit card data theft, merchants, security assessors and other stakeholders in the payment industry have established a collaborative approach in developing standards as an effective weapon against criminal attacks. While it is virtually impossible to thwart all attacks, the payments industry community is proactively coming together to discuss the complexities of the payment system and develop tools to increase the card data security on a global level. This movement is embodied in the PCI Security Standards Council (SSC), an independent industry standards body providing management of the PCI Data Security Standard (PCI DSS) and other payment focused security standards on a global basis.

As part of this ecosystem, VeriFone joins the assessment community and nearly 600 Participating Organizations made up of merchants, service providers, financial institutions and security vendors across different industries to provide critical feedback to the ongoing enhancement of security standards managed by the Council. Our common goal is to ensure that the PCI DSS and other Council managed standards are the strongest and most effective standards they can be.

The following areas are prime examples of how collaboration is driving payment security throughout the world, demonstrating the open and powerful nature of the PCI SSC forum. I hope by giving insight into some key areas merchants, vendors and financial services firms are working together, may spur you to think about how your own organization could play a role in helping us develop and maintain strong payment security standards.

Special-interest groups (SIGs)
Near and dear to my heart are the SIGs, which are independent groups, run by Participating Organizations within the PCI SSC that focus on elements of the PCI DSS that might be considered challenging or open to interpretation. Among the four SIGs that focus on wireless, scoping, virtualization and pre-authorization, VeriFone leads the wireless group. Anyone can propose a SIG on any topic that relates to payment security and the PCI Standards.

When the wireless SIG came together a year ago, the goal was to collaborate with the more than 40 organizations that joined to develop educational tools for the payment community to protect their wireless environments. In just the first six months of working together, the ideas and research from POS vendors, network security companies, acquiring banks and large merchants – including industry experts from Capita, The Information Assurance Consortium, McDonald’s, Motorola and Unified Compliance Framework – resulted in an information supplement called the PCI DSS Wireless Guideline.

The paper is geared toward organizations that store, process or transmit cardholder data that may or may not have deployed WLAN technology as well as assessors that evaluate PCI DSS compliance. The guidelines help organizations understand:

  • • How PCI DSS applies to wireless environments;
  • • How to limit the PCI DSS scope as it pertains to wireless; and
  • • Practical methods and concepts for deployment of secure wireless in payment card transaction environments.

The wireless SIG is on to developing another guideline for next year focused on Bluetooth, with the other SIGs in the process of developing their own industry-specific resources to help improve the understanding and adoption of the PCI DSS. If you have expertise in this area, or a desire to help address how this technology impacts the PCI DSS, I encourage you to join the Council and actively participate in this group.

Community meetings
An event that the Participating Organizations look forward to each year is the PCI SSC Community Meeting. Held in North America and Europe each fall, this annual forum plays a significant role in the Council’s standards lifecycle management process and helps foster broad debate on the evolution of PCI standards.

When it comes to an open forum, this is the place to be. All stakeholders that are Participating Organizations, QSAs and ASVs gather together for two days to proactively propose and discuss revisions to the next iteration of the Council’s standards. This is where the community’s feedback and challenges with the PCI standards are heard, debated and addressed across all industries, technologies and geographies.

And we’ve grown. During the Council’s first feedback period, 150 organizations from around the world participated. Now, with more than 600 Participating Organizations, there is expected to be a significant increase in global participants and a lively and thorough examination and discussion on the next version of PCI DSS and Payment Application-Data Security Standard (PA-DSS).

The conversations are going to be tough but effective. In light of high profile data breaches this year there is sure to be some lively discussions around what can be done to evolve the PCI DSS during the open microphone feedback sessions. Yet, the purpose is to find a way to move forward together, as businesses who depend on a secure payment environment, and this is what we will walk away with from these meetings.

PCI DSS lifecycle
Transparency is the name of the game when it comes to the PCI standards management lifecycle process. The community collectively agreed on a 24-month lifecycle of the PCI DSS when the standard was established. This ensures a gradual, phased use of new versions of the standard without invalidating current implementations or putting any organization out of compliance the moment changes are published.

With October 2010 being the end of the PCI DSS’ second two-year cycle, Participating Organizations have been asked to provide detailed and actionable feedback between July 1 and November 1, 2009, in an effort to revise future editions of the Council’s standards to improve payment data security. Using an online feedback tool to make it easier for everyone to give feedback on the PCI DSS and PA-DSS standards on up to five key areas of their choosing, these comments will be a key focus at the Community Meetings.

It is important to realize that throughout the five stage process of the PCI DSS lifecycle, feedback is gathered from many sources, including the Participating Organizations, assessment community, Board of Advisors and Community Meetings. Even at the final stage of the review process, which is to discuss the new version revisions, the entire payment community is included. At next year’s Community Meeting, all stakeholders review the changes together and obtain more clarification and education to assist in implementing the updated standard. What do you think could be changed or improved in the PCI DSS and PA-DSS? Your input is vital to shaping the next generation of security standards.

Achieving worldwide payment security: The rise of compliance
It’s important to note that recent high profile data breaches are more the exception than the rule. While there are still merchants and other service providers that remain out of compliance and at risk of a breach, there is an even more profound increase in organizations that are increasing their focus on payment security and are adopting the DSS and the tools provided by the PCI SSC.

The feedback the Board of Advisors receives on an ongoing basis from organizations worldwide allows us to represent industry concerns to the Council and be an active constituent in a single global resource on payment security standards. We want to ensure there is an integrated set of standards to protect all facets of the payment ecosystem—devices, applications, infrastructure and users.

At VeriFone, we’ve seen a tremendous increase in adoption of the PCI standards, which is evidenced by the growth of the Participating Organizations and assessment community this year, and are pleased to see the influence they are having on the information security strategies and practices of our organization and other enterprises across the globe. Whatever your company’s background or security posture, we encourage all those with a stake in ensuring a secure payment system come to the table to collaborate and help evolve the PCI standards.

Dave Faoro is vice president of product security and systems architecture, VeriFone; and a member of the PCI Security Standards Board of Advisors.

Editorial standards