Magazine Article | August 29, 2017

Take The Guesswork Out Of Payment Security

A Q&A With Retail Executive

The PCI Security Standards Council discusses upcoming standards that affect retailers of all sizes.

The PCI Security Standards Council exists as a body to create standards and best practices to help retail executives. By now, you should be well aware of the PCI DSS (Payment Card Industry Data Security Standard), as it’s the most exhaustive standard that’s received the most attention. However, in speaking with Troy Leach, CTO, and Mauro Lance, COO, of the PCI Security Standards Council, there are other standards on the horizon worth noting, as well as other initiatives built to help you navigate the payment security landscape.

Retail Executive: What new payment updates/standards are forthcoming that affect retailers?

Troy Leach, CTO, PCI Security Standards Council: This year will probably be one of the busiest years for new standards and new requirements, as we have five new standards, two revised standards, and another significant initiative.

Most of these standards are focused on the payment solution developers and vendors that create the solutions that merchants use. Our goal is to help merchants of all sizes improve security and possibly, at the same time, reduce their overall responsibilities of demonstrating security through compliance.

As we look at the payment ecosystem, we’re seeing the market developing and using third-party services, products, and software. In fact, 80 percent of all software today uses some form of third-party code, hosting, or services. It can become difficult for a retailer to demonstrate that it’s done enough due diligence on the security of a payment environment when there are third-party pieces being used.

As a result, our focus is on initiatives to improve payment software security, so two upcoming standards will target vendors developing the third-party payment apps that retailers use. Essentially, we want to simplify compliance for retailers by having third-party software validated independently by software security professionals and experts.

We also have two other standards related to 3DS (Three-Domain Secure) for merchants leveraging e-commerce and a mobile presence. Last year, EMVCo created a spec related to a new, more secure version of 3DS, which provides significant improvements. The new standards will help ensure that customers are authenticated all the way to the issuer. It will create less friction in the overall customer experience and give retailers confidence in the legitimacy of transactions. Note these 3DS standards are intended for those that provide 3DS services and applications and not for merchants simply using 3DS services.

Lastly, we have a new standard that will probably be more relevant to smaller merchants, but could be applied to large merchants as well. The new standard is related to using commercial off-the-shelf mobile devices to do PIN entry onto the device’s glass. While we already have legitimate certified PIN-on-glass devices, merchants were asking for clarification about the security. Public drafts and requests for comment for all of these new standards will be released later this year.

Retail Executive: How does the public comment process work?

Leach: The request-for-comment period typically lasts from two weeks to six months. On larger standards like DSS, we might go to request for comment several times with changes we’re considering and longer open periods. Other standards closer to release are from 14 to 30 days. Our PIN entry standard will probably have three rounds of comments (not including our community meetings we have worldwide).

We have a dedicated working group made up of subject matter experts and task forces that are typically from our membership base. Also we have 3,000 other security professionals (i.e., qualified security assessors [QSAs]). All said, we get a variety of feedback from thousands of different stakeholders. This process is much different from how other standards bodies work.

Retail Executive: What special initiatives are you working on that affect retailers?

Leach: Last year we created and published an educational resource for small retailers. We worked with the NRA (National Restaurant Association) and merchants to create our Payment Protection Resources for Small Merchants, including the Guide to Safe Payments with basic security guidance and the Common Payment Systems with use cases for 14 different payment device scenarios. The scenarios eliminate technical jargon and confusion, and one of the 14 scenarios is likely to match a retailer’s situation.

The document provides the 15 to 30 security controls that will be relevant to a retailer based on its situation. It pares down the 200+ controls of the PCI DSS standard and provides a practical set of controls that are actionable and able to be addressed by a non-IT person.

In the year since the document was published, half a million merchants have been contacted with the materials, and they’ve been well received. We’re now updating the document to include information on how a retailer can show its financial partners and customers that it has taken these basic security steps and applied them. The update should be released in the first half of next year.

Retail Executive: What programs exist to help retailers address payment security?

Mauro Lance, COO, PCI Security Standards Council: Our QIR initiative is designed for smaller merchants who rely on technology resellers to implement payment technology. Launched in 2012, the QIR program seeks to ensure that resellers have the necessary skills and understanding to properly implement Payment Application Data Security Standard payment applications in a way that supports their PCI DSS compliance efforts. Later this year, the council is expanding the scope of the QIR program to allow more solutions providers to benefit. This will provide the ecosystem with more qualified professionals and raise the collective security IQ of the industry.

For large retailers, we have our QSA program. However, QSA companies have been telling us that there’s a shortage of security professionals. Our qualification requirements are stringent, and QSAs have been asking how we can help bring new professionals into the industry. We recently did a soft announcement of our new Associate QSA program, which is a way to cultivate security professionals earlier in their careers and get them into the QSA pipeline. The Associate QSA program includes similar training as full-blown QSAs, but doesn’t require all the certifications and tenure. Associates receive mentorship and learn in the field about PCI DSS assessments. Eventually, they will graduate to a full QSA.

Retail Executive: What are the areas of security that you find most retailers struggle with?

Leach: First, let me point out that we’ve noticed that larger retailers have matured over the past few years to develop good security practices that consistently meet the PCI requirements. This is a great upward trend and a positive note for retailers.

That said, one challenge is that criminals and malware targeting retail systems today aren’t targeting solely large retailers. The data suggests that criminals don’t care or even know if the target is large or small, as the malware is indiscriminate.

Retail Executive: What will payments look like five years from now?

Leach: The PCI Council and our related bodies are going to continue to pursue innovative ways to devalue data and reduce exposure to fraud. We’ve introduced point-to-point encryption (P2PE), payment tokens, and dynamic authentication that have all been very effective already. In fact, we’ve had numerous retailers reveal that they were breached, but the criminals couldn’t collect any valuable data because it was all encrypted.

Analysts anticipate that by the end of 2017, 97 percent of retailers will have some form of payment data encryption implemented. That is success, but we still have work to do. The next few years will be a renaissance for payment security. It’s exciting