In September, Hurricane Irma forced the PCI SSC to cancel the North America Community Meeting; and the uncertainty of Catalonian independence from Spain may have led some to stay home from the Europe Community Meeting held in Barcelona last week. Nevertheless, the Coalfire team was well-represented in Barcelona. Because there were so many valuable updates, we offer this summary to keep you informed of these important developments in the world of PCI.
PCI Europe kicked off on Tuesday with a Keynote on PCI’s Strategic Initiatives, led by the senior team from the PCI SSC (Jeremy King, Troy Leach, Mauro Lance, Mark Meissner). The focus of this session was on new and ongoing programs, among them:
- Bank of India is now mandating PCI Compliance for merchants
- PCI SSC is announcing new partners in Brazil and Russia (where the market for PCI compliance is growing rapidly)
- The Small Merchant Task Force is expanding free resources in more languages on the PCI SSC website (including the new merchant-facing site released just last week at https://www.pcisecuritystandards.org/merchants/).
Next up, a panel from the PCI SSC Board of Advisors (Karen Czack, American Express; Pierre Chassigneux, Groupement des Cartes Bancaires; Stacy Hughes, Global Payments; and Tracey L. Long, WorldPay) presented some of their collective concerns as representatives from this group of the world’s largest processing entities. These included the need for small merchant-facing tools, card not present fraud prevention, and preparedness for continually increasing security threats facing the payments ecosystem.
Tuesday wrapped up with sessions from Verizon’s Christopher Novak (Where Data Breaches Intersect Compliance) and PCI SSC’s Troy Leach (Security Roadmap for Next Generation of Payments), in which both leaders discussed the emerging threats to the payments industry. Mr. Leach’s security predictions were that 97% of all transactions would be encrypted at the read head by end of 2018. Themes observed in 2017 included:
- Interconnectivity, authentication, encryption, and agile software development
- 79% of developed software uses open-source or third-party code
- Focus on authentication: MFA, card not present, enrollment credentials, cardholder verification methods (e.g., PIN), and dynamic authentication
- Modern payment software: Rapid change, use of open-source, legacy code with modern threats, newer security techniques (CI/CD)
In summary, Leach asserts that the payments industry needs (a) better authentication, (b) better software design, (c) better accountability for third parties, (d) better education and collaboration, and (e) better technology and processes to simplify compliance. To address these trends, he made the following big announcements:
- A new software security standard will be coming next year (RFC starting in November; aspects were also previewed during later sessions, see below).
- The PCI 3D-Secure for e-commerce fraud prevention (the PCI 3DS Core Security Standard and Data Matrix were released this week and can be downloaded from the PCI Document Library).
- A standard for PIN entry on Commercial Off-the-Shelf (COTS) devices standard is currently in RFC, and expected to be coming very soon
- New mobile security guidelines for merchants and developers were updated last month (downloadable from the PCI Document Library)
- A call to the community-at-large to continue working toward automation that addresses card data security.
During Wednesday’s Welcome Remarks, Jeremy King, the Council’s International Director for PCI Security Standards, elaborated on the SIG selection process for 2018. The ballot recently closed, in which POs were to cast their ballot from among the following options:
- Update guidance for Maintaining PCI DSS Compliance
- Create guidance for Remote Access for POS Vendors
- Update guidance for PCI DSS Virtualization Guidelines
- Update guidance for Protecting Telephone-based Payment Card Data
- Create guidance for Social Engineering Awareness and Testing
- Create guidance for PCI DSS Cryptography and Key Management
- Create guidance for Machine Identity Protection
- Create guidance for Incident Response and First Responders
Note: If you are a PCI Participating Organization, we highly encourage you to monitor this process, and ensure participation from your organization in the selected Special Interest Group(s) in order that we might continue to improve our industry together.
The keynote session was Lessons from the Miracle on the Hudson, presented by Jeff Skiles, the co-pilot of the U.S. Airways Flight 1549, which crash-landed in the Hudson River (subject of the recent Tom Hanks movie “Miracle on the Hudson”). In his compelling recount of this harrowing event, he provided insightful analogies to cybersecurity that were crucial to their life-saving incident response, such as the use of highly standardized work environment and process flows, common terminology, dual controls, quality engineering, and the importance of the team. Like flight safety, modern enterprise security can also be greatly enhanced through the managers who empower their employees with tools to make proper decisions in the field, visibility, whistleblower protections, and threat management through continuous improvement.
PCI Manager for Device Standards, Tim Cormier, presented on Navigating the PTS-Approved Device Listings in a session intended for merchants, vendors, and QSAs who want to better understand PTS approvals. Of note, Mr. Cormier reminded the audience that “if it’s not listed, it’s not approved.” This includes expired validations (which are listed separately) or devices that must have certain features disabled to ensure compliance.
Note: Coalfire encounters this costly mistake all too frequently, where our clients make assumptions about device or application approvals without confirming the important details on the PCI website – so this reminder is very appropriate even today.
In the next session, PCI DSS... Beyond Compliance and Actually Improving Cyber Defense, Adetokunbo Omotosho reminded the audience that the key points of PCI DSS are Build, Protect, Maintain, and Monitor. In his experience, less than 30% of clients were found to be compliant a year after their initial assessment, and that the average delay in breach discovery is more than 200 days. These facts compel us to begin looking at compliance differently – as a destination of sorts – and to look at security as the journey. The focus then, Mr. Omotosho contends, should be on improving cyber defense. PCI DSS should be the minimum set of controls, and a proper scoping of the CDE should lead the enterprise to identify assets outside the CDE that may not be properly protected by PCI controls. Accordingly, highly sensitive areas may necessitate additional layers of security above and beyond that which is dictated within the DSS (e.g., next gen firewalls, FIM + file control, or moving from log monitoring to log and event correlation).
In his session titled Cryptography – Issues and Directions, Ralph Poore, Director of Emerging Standards at PCI SSC, provided a technical and historical overview of cryptography with an eye on payments. From algorithms to ciphers, software encryption, hardware devices, service providers and key management, crypto is interwoven into every area of security. The principal takeaways from this session are that cryptography is constantly changing, and we should expect changes in order to address new attacks. This can be challenging to manage, but the importance of attending to encryption should not be downplayed since it has such a vital role in security today.
Adam Heczko’s session on Journey to PCI DSS Compliant Private Cloud focused on the many open source options for staying “cutting edge” and improving security in the cloud, such as OpenStack and Kubernetes. This discussion on use of DevSecOps to power security cloud processes resonated with our team, which has been similarly evangelizing the integration of security into modern development, and the streamlined assessment of environments that utilize these techniques.
Coalfire’s own Sam Pfanstiel joined this year’s 2017 Cloud SIG Update Panel along with John Markh, Standards Manager for the PCI SSC, and fellow SIG members Alan Gutierrez-Arana and Yusuf Musaji. In this discussion on cloud security, it was announced that the Cloud Computing Guidance is planned for release in January 2018. Areas of focus on this guidance update include emerging cloud technologies (such as VDI, containers, cloud HSM, and microservices), the increasing importance of clear responsibility (e.g., responsibility matrices, AOCs, vendor oversight), as well as appropriate vendor management, vulnerability management, and assessment of cloud environments.
Note: Coalfire leads the industry in PCI DSS expertise among leading cloud IaaS, PaaS and SaaS providers, including performing the annual assessments for AWS and Azure. Our PCI in the Cloud services help customers with cloud-based assessments, architecting PCI-compliant cloud infrastructure, and migrating workloads to the cloud. Contact Coalfire for assistance with your cloud-driven security initiatives.
Next, Andrew Jamieson from UL and Emma Sutcliffe, Senior Director of Data Security Standards from the PCI SSC, jointly presented on Fixing Online Fraud - 3DSecure & In-Browser Payments. The most important facts to remember are that the success of EMV is ramping up the threat of fraud in e-commerce and other card not present transactions, and that these channels are simultaneously growing. The recently updated 3-D Secure (3DS) standard from EMVCo mitigates this risk when implemented correctly. But 3DS must be properly implemented to protect sensitive data. With the newly released data security standards for 3DS, QSA(P2PE), assessors are now able to perform these crucial EMV 3DS assessments.
Last year, World Pay UK became the first large acquirer to obtain a P2PE listing. In the session A Customer’s Journey of Implementing a Validated P2PE Solution, the Problems, Dilemmas and Benefits – A Merchant Experience Case Study, Peter Gore from McColl’s and WorldPay’s Tracey Long and Jo Smith discussed the many challenges they faced and that a merchant faces when implementing this critical aspect for overall PCI security. Having a qualified and experienced P2PE QSA is clearly an important aspect for success. Merchants should understand a simple fact: If you accept credit cards in any way, you are 100% responsible for every requirement of the PCI DSS in your environment. The good news is that if you choose to leverage a listed P2PE solution properly, the requirements left for you to manage across your environment can be dramatically decreased, saving you time and money while still maintaining a secure environment and reducing the risk of a payment breach.
Note: Coalfire has been dedicated to leveraging encryption to help merchants see the benefits of more secure and lower risk cardholder data environments since the PCI SSC was created many years ago. Coalfire has provided thought leadership in the evolution of the PCI P2PE program, striving to make it accessible to as many merchants as possible, as well as enabling service providers to offer the most secure encryption solutions to their merchants. Coalfire has maintained dozens of P2PE QSA staff since the P2PE program began and has a dedicated P2PE program, which has supported hundreds of customers in offering and leveraging the best encryption solutions that fit the business needs of those customers.
One of the most exciting announcements of the week was the upcoming Software Security Standard (“S3”), as revealed and discussed in the Technologies for Application Security and Compliance in the Era of DevOps and Cloud by John Markh, Standards Manager from PCI Security Standards Council, and Joseph Feiman from Veracode. In this session, the challenges of PA-DSS and application security were discussed in an era of cloud, CI/CD, DevOps, containers, and how S3 intends to address them. S3 will offer more flexible requirements for application validation, including delta reviews, addressing software supply chain risks (e.g., components, libraries), and the ability for vendors to maintain evidence through the lifecycle of the software. While far from finalized (several RFCs are in the works), the ultimate goal is to shift from PA-DSS (a single point test) to validation based around the continuous lifecycle of the application (including routine testing of security, vulnerabilities, and application).
Note: Coalfire’s application validation and PCI teams are actively involved in the task forces and RFC responses related to the development of S3, so reach out to Coalfire if you have input, concerns, or questions about this process.
In the session on Extending Your PCI DSS Compliance to Cover General Data Protection Regulation, Nigel Tranter from Payment Software Company discussed the pressures organizations will face with the new General Data Protection Regulation (GDPR) coming this coming May. The relationship between PCI DSS and GDPR was discussed, and the applicability of these privacy requirements on organizations worldwide (not just those in Europe).
Note: Coalfire is not only prepared to support GDPR efforts, but is actively leading the way providing thought-leadership and education on this important topic. Read more about our GDPR services here and access the three-part series from Coalfire’s Andy Barratt as he discusses GDPR with Chris Strand from CarbonBlack and Adrian Davis, (ISC)2 Managing Director (Part 1, Part 2, Part 3 upcoming.)
Next up was a live demonstration of a remote access exploitation using port scanning, brute-force authentication, and malware to perform RAM-scraping of the target computer. This demo from Gary Glover at SecurityMetrics, Cybercriminals Love Your Remote Access: A Hacking Demonstration, is an example of why we have been stressing the importance of P2PE to protect card data in RAM, and why admin workstations must be considered in-scope for PCI DSS.
Andrew Barratt, Coalfire’s Managing Principal in EMEA, took the discussion to the next level with his session, What Happens When the Attackers go POStal? Showcasing how card data protections alone are not adequate, he demonstrated how retail payment interfaces can be leveraged to perform fraud even when card data itself may not be directly exposed. Mr. Barratt’s revealing talk challenged assumptions in the payment security space by reminding the audience that card data is only one facet of ultimately protecting the merchant from costly exposure. Merchants may face breaches that lead to direct theft of inventory and not cardholder data.
In a packed afternoon, the updates provided in the Mobile Security Update session from Elizabeth Terry and Michael Thompson from the Council should not be overlooked. These updates included the coming PIN-on-COTS (also called PIN-on-glass) standard, which will finally support the use of consumer mobile devices to accept PIN entry. Considered by some to be a quantum leap in cardholder verification for mPOS, the PCI SSC is expediting the support for this standard “soon.” In addition, new mobile guidance was released last month for both merchants and developers, primarily surrounding the need for logging and monitoring of mobile applications.
Note: Coalfire has worked both within the Mobile Task Force and within the industry to monitor these coming standard for PIN-on-COTS and updated Mobile Guidelines. For more information about this new guidance, or to provide feedback on PIN-on-COTS, contact your Coalfire account manager or submit a request for more information.
The final day of the meetings, Coalfire’s Sam Pfanstiel kicked things off with a live demo of its flagship cybersecurity communication and assessment portal, CoalfireOne. Conference attendees were pleased to see new features that include support for multiple simultaneous assessments, shared evidence and reporting, task visibility, and threaded collaboration to support a cost-efficient assessment process for the dynamic enterprise. If you would like to receive a custom demo of the CoalfireOne portal, contact your Coalfire account manager or submit a request on our CoalfireOne webpage.
In the final morning of sessions, the highlight was the keynote, Rebuilding Security – Lessons Learned from Tragedy. Delivered by the Director of Security and Chief Investigator at the Isabella Stewart Gardner Museum, Anthony Amore walked the audience through the security vulnerabilities that led to the largest terror attack and property heist in recent years – both carried out in Boston and now under his care. The key takeaway from this session was the importance of transparent forensic review of process failures, to implement controls to protect against these oversights in the future. For security professionals fighting an endless battle for protecting valuable assets, information sharing can be the crucial link to defending against these threats.
In summary, the PCI Europe Community Meeting demonstrated how the PCI SSC continues to adapt to rapid market changes and support the ultimate goal of payments security. With recent and upcoming guidance on mobile security, compliance in the cloud, and application security, we see that compliance is keeping pace with the rapid technology transformation of payments. We trust that this summary is valuable to help keep our clients in-the-know. If you would like to discuss any of these topics, we invite you to contact us to learn more about how upcoming changes may affect your organization.