The Payment Card Industry Security Standards Council (PCI SSC), has announced the election results for its 2016 Special Interest Group (SIG) project.
Special Interest Groups are community-led initiatives that address important security challenges related to PCI Security Standards. One new Special Interest Group is selected every year, but groups may run for more than 12 months in order to complete the agreed-upon goals.
PCI member organizations, including merchants, financial institutions, service providers and associations, voted on five proposed Special Interest Group topics submitted by their peers. The winning topic selected for 2016 was, “Best Practices for Safe E-Commerce”
The new Special Interest Group is slated to kick off in January 2016
The Council invites PCI member organizations and assessors interested in getting involved in this SIG project to register on the PCI SSC website by 4 January 2016.
The community choose from among five strong proposals, so it was certainly not an easy decision,” said Jeremy King, International Director, PCI SSC. “We are encouraged by how many Participating Organizations were involved in the submission and election process this year. SIGs continue to be an excellent vehicle for putting their expertise to work to improve payment card security globally
This week business leaders and security professionals gathered in Nice, France to discuss payment based security and especially PCI DSS and P2Pe.
Jeremy King PCI Security Standards Council International Director said, The new European Commission Payment Services Directive 2 along with the European Banking Authority Guidelines for Securing Internet Payments have clear and detailed requirements for organisations in protecting cardholder data. Add to that the soon to be released General Data Protection Regulation which covers all data security, and you have a massive increase in data security, which when implemented will impact all organisations in Europe and beyond,
These regulations will force organisations to take security seriously, and PCI provides the most complete set of data security standards available globally. Establishing good data security takes time and effort. Organisations need to know these regulations are coming and put a plan in place now for ongoing security
With 70% of all card fraud coming from Card-Not-Present (CNP), a figure that surpasses the previous 2008 record which was set during the EMV chip migration, it is a critical time for the industry.
A significant amount of the conference was spent on new and developing technologies including::
Cloud – Daniel Fritsche of Coalfire presented on Virtualisation and the Cloud
Mobile – several presentations including the Smart Payments Association
Point to Point Encryption (P2PE) – Andrew Barratt of Coalfire delivered a panel discussion
Tokenisation – A presentation by Lufthansa Systems
Jeremy King added. PCI is committed to helping organisations globally improve their data security. Our range of standards, and especially our supporting documents, are designed to help all companies improve and protect their data security. The annual Community Meeting is a big part of our efforts to engage with companies from all sectors, sharing and exchanging information to ensure they have the very best level of security
We must work together to tackle card-not-present fraud with technologies such as point-to-point encryption and tokenisation that devalue data and make it useless if stolen by criminals.
Attendees included experts from Accor Hotels, , British Telecommunications, Capita, Coalfire Systems Limited, Accor Hotels, Lufthansa, Virgin Trains, Vodat International and hundreds of others.
For any organization connected to the internet, it is not a question of if but when their business will be under attack, according to a recent cybersecurity report from Symantec, which found Canada ranked No. 4 worldwide in terms of ransomware and social media attacks last year. These increasing attacks put customer information, and especially payment data at risk for compromise.
When breaches do occur, response time continues to be a challenge. In more than one quarter of all breaches investigated worldwide in 2014 by Verizon, it took victim organization weeks, or even months, to contain the breaches. It is against this backdrop that global cybersecurity, payment technology and data forensics experts are gathering in Vancouver for the annual PCI North America Community Meeting to address the ongoing challenge of protecting consumer payment information from criminals, and new best practices on how organizations can best prepare for responding to a data breach.
A data breach now costs organizations an average total of $3.8 million. However, research shows that having an incident response team in place can create significant savings. Developed in collaboration with the Payment Card Industry (PCI) Forensic Investigators (PFI) community, Responding to a Data Breach: A How-to Guide for Incident Management provides merchants and service providers with key recommendations for being prepared to react quickly if a breach is suspected, and specifically what to do contain damage, and facilitate an effective investigation.
The silver lining to high profile breaches that have occurred is that there is a new sense of urgency that is translating into security vigilance from the top down, forcing businesses to prioritize and make data security business-as-usual,” said PCI SSC General Manager Stephen W. Orfei. “Prevention, detection and response are always going to be the three legs of data protection. Better detection will certainly improve response time and the ability to mitigate attacks, but managing the impact and damage of compromise comes down to preparation, having a plan in place and the right investments in technology, training and partnerships to support it
This guidance is especially important given that in over 95% of breaches it is an external party that informs the compromised organization of the breach,” added PCI SSC International Director Jeremy King. “Knowing what to do, who to contact and how to manage the early stages of the breach is critical
At its annual North America Community Meeting in Vancouver this week, the PCI Security Standards Council will discuss these best practices in the context of today’s threat and breach landscape, along with other standards and resources the industry is developing to help businesses protect their customer payment data. Keynote speaker cybersecurity blogger Brian Krebs will provide insights into the latest attacks and breaches, while PCI Forensic Investigators and authors of the Verizon Data Breach Investigation Report and PCI Compliance Report, will present key findings from their work with breached entities globally. Canadian organizations including City of Calgary, Interac and Rogers will share regional perspectives on implementing payment security technologies and best practices.
Download a copy of Responding to a Data Breach: A How-to Guide for Incident Management here.
The original PCI SSC press release can be found here.
The PCI Security Standards Council (PCI SSC), have announced that the PCI Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA-DSS) 3.0 are now available in nine languages.
“It’s important that organizations around the globe have the resources they need to protect card data,” said Bob Russo, general manager, PCI Security Standards Council. “We’re happy to make the PCI Standards available in a number of languages to assist organizations as they work to make payment security part of their business-as-usual practices.”
PCI DSS and PA-DSS 3.0 were published in November 2013, with updates made based on feedback from the Council’s global constituents and response to market needs.
Over 50% of this feedback came from outside of the U.S., emphasizing the Council’s active international membership base.
The PCI SSC website supports translated pages and PCI materials including the new PCI DSS v3.0 and PA-DSS v3.0 in the following languages:
“We continue to be encouraged by the growing participation from global stakeholders in PCI Standards development, said Jeremy King, international director, PCI Security Standards Council. “We’re optimistic that these translations will increase awareness and adoption of the standards and drive improved payment security.”
Hot on the heels of the ATM Guidelines the PCI SSC has released the PCI DSS E-commerce Guidelines Information Supplement.
The guidelines are designed to help e-commerce merchants to decide on which technologies and third party service providers to choose.
The e-commerce Special Interest Groups (SIGs) helped put the guidelines together and that meant using their knowledge of the marketplace to produce an industry specific document.
Take SQL injections as an example. This is not a new attack, and something we’ve known about in the industry for years. Yet it continues to be one of the most common methods by which e-commerce websites are compromised, said Bob Russo, general manager, PCI Security Standards Council. “This can be addressed through simple, prudent coding practices, but merchants often don’t know where to start. These guidelines will help them better understand their responsibilities and the kinds of questions they need to ask of their service providers. In the case of SQL injections, one of the most important items to request of an e-commerce service provider is a description of the security controls and methods it has in place to protect websites against these vulnerabilities.
The PCI DSS E-commerce Guidelines Information Supplementprovides an introduction to e-commerce security and guidance around the following primary areas and objectives:
E-commerce Overview – provides merchants and third parties with explanation of typical e-commerce components and common implementations and outlines high-level PCI DSS scoping guidance to be considered for each.
Common Vulnerabilities in E-commerce Environments – educates merchants on vulnerabilities often found in web applications (such as e-commerce shopping carts) so they can emphasize security when developing or choosing e-commerce software and services.
Recommendations – provides merchants with best practices to secure their e-commerce environments, as well as list of recommended industry and PCI SSC resources to leverage in e-commerce security efforts.
The document also includes two appendices to address specific PCI DSS requirements and implementation scenarios:
PCI DSS Guidance for E-commerce Environments – provides high-level e-commerce guidance that corresponds to the main categories of PCI DSS requirements; includes chart to help organizations identify and document which PCI DSS responsibilities are those of the merchant and which are the responsibility of any e-commerce payment processor.
Merchant and Third-Party PCI DSS Responsibilities – for outsourced or “hybrid” e-commerce environments, includes sample checklist that merchants can use to identify which party is responsible for compliance and specify the details on the evidence of compliance.
E-commerce continues to be a target for attacks on card data, especially with EMV technology helping drive so much of the face-to-face fraud down in Europe and other parts of the world, said Jeremy King, European director, PCI Security Standards Council. “We are pleased with this guidance that will help merchants and others better understand how to secure this critical environment using the PCI Standards.
For a link to the full document please use my PCI Resources page here.
The PCI Security Standards Council has launched its formal feedback period on version 2.0 of the PCI DSS and PA-DSS, inviting Participating Organizations and assessors (QSAs) to provide suggestions and commentary on the development of the next PCI Standards.
The PCI Council works on a three-year lifecycle to update the PCI Standards. Feedback from Participating Organizations representing merchants, banks, processors, vendors, security assessors and those across the payment chain is the foundational element of this process. The feedback period takes place a full year after the new versions of the DSS and PA-DSS were released, giving organizations the opportunity to provide input based on their experiences in implementing the standards. As of December 31, 2011, version 1.2.1of the PCI DSS and PA-DSS is retired and all validation efforts for compliance must follow version 2.0.
Beginning today, PCI stakeholders can submit input through a new online tool that automates and makes feedback easier to supply. All feedback will be reviewed by the Council and included in discussion for the next iteration of the PCI Standards.
In the Council’s last feedback cycle, hundreds of comments were received, with more than 50 percent coming from outside the U.S.
“With the Council’s Participating Organization base having grown substantially in Europe over the last year, and particularly with increased global representation on our Board of Advisors, we’re really looking forward to receiving input from our stakeholders around the world,” said Jeremy King, European Director, PCI Security Standards Council. “In a changing payments environment, it’s this input that will help us maintain a global standard that ensures the protection of cardholder data remains paramount.”
Feedback submissions will be grouped into three categories – Clarifications, Additional Guidance and Evolving Requirements – and shared for discussion with Participating Organizations and the assessment community at the 2012 PCI Community Meetings.
“Our community is made up of experts from across the payments chain, around the world and from organizations of every size, each dealing with different aspects of the PCI process,” said Bob Russo, general manager, PCI Security Standards Council. “We rely on their feedback and unique experiences to help us continually improve these standards for the protection of cardholder data.”
The online feedback tool can be accessed at online here.
In advance of annual PCI Community Meeting, Council celebrates more than 100 European companies as key contributors to the ongoing development of the PCI Standards.
The PCI Security Standards Council (PCI SSC), a global, open industry standards body providing management of the Payment Card Industry Data Security Standard (PCI DSS), PIN Transaction Security (PTS) requirements and the Payment Application Data Security Standard (PA-DSS), today announced a milestone in ongoing momentum and global participation – more than 100 European companies are now PCI Participating Organizations, promising a strong showing for this year’s PCI European Community Meeting on October 17-19, 2011, in London, England.
The Council is made up of more than 600 global Participating Organizations (POs) worldwide. Continual global involvement not only benefits stakeholder organizations but also the larger payment security community, by ensuring the diverse and unique industry and geographic perspectives of those across the payment chain are represented in the work of the Council.
European participation – including merchants, financial institutions and processors from around the continent – has been a key factor in the Council’s analysis and guidance on technologies in the payment environment, such as call center recording technologies and EMV, as well as the development of critical resources like the Prioritized Approach framework.
This year, Participating Organizations also elected a new Board of Advisors, with 7 of the 21 seats being represented by European companies, a testimony to the growing European involvement in the Council and the work and collaboration that is taking place in Europe to drive payment security forward.
”As a member of the Council since 2007, we are pleased to see the growing awareness around payment security in the UK and European regions over the last few years,” said PCI SSC Board of Advisors member Philip Morton, information security compliance manager, British Airways. “We are excited to bring our geographic and industry perspectives to the Council in serving on the Board this term and working with the PCI community to continue to drive increased protection of cardholder data in Europe and globally.”
Twenty-five percent of the growth among European POs has occurred in the last year, since the Council brought on European Director Jeremy King to concentrate PCI efforts in the region. This number has more than tripled since the first year of the Council’s existence.
“Counter to those who suggested that the issue of PCI Standards and global card security were U.S. centric initiatives, our ongoing growth in participation in Europe illustrates the increase in awareness, focus and feedback we are achieving globally,” said Jeremy King, European director, PCI Security Standards Council. “I am very excited about the growing number of European-based organizations who will join us at this year’s European Community Meeting. As we kick off our feedback period for the PCI Standards, I look forward to engaging this core group of stakeholders in our global standards lifecycle process. Together, these organizations will help influence the Council’s agenda and the direction and evolution of the PCI Standards in the coming years.”
The PCI SSC definition of Tokenization: “Tokenization technology replaces a Primary Account Number (PAN) with a surrogate value called a “token”. Specific to PCI DSS, this involves substituting sensitive PAN values with non-sensitive token values, meaning a properly implemented Tokenization solution can reduce or remove the need for a merchant to retain PAN in their environment once the initial transaction has been processed.
Merchants are ultimately responsible for the proper implementation of any Tokenization solution they use, including its deployment and operation, and validation of its Tokenization environment as part of their annual Payment Card Industry Data Security Standard (PCI DSS) compliance assessment.
Organizations should carefully evaluate any solution before implementation to fully understand the potential impact to their CDE (Cardholder Data Environment). The paper helps guide merchants through this process by:
Outlining explicit scoping elements for consideration
Providing recommendations on scope reduction, the tokenization process itself, deployment and operation factors
Detailing best practices for selecting a tokenization solution Defining the domains, or areas that specific controls need to be applied and validated, where tokenization could potentially minimize the card data environment
This additional guidance also benefits tokenization service providers and assessors by informing them on how the technology can help their merchant customers limit or eliminate system components that process, store, or transmit Cardholder data, and reduce the scope of the CDE and thus the scope of a PCI DSS assessment.
“We’ve continued the process to investigate these technologies and ways that the community can use them to potentially increase the security of their PCI DSS efforts” said Bob Russo, general manager of the PCI Security Standards Council. “These specific guidelines provide a starting point for merchants when considering tokenization implementations. The Council will continue to evaluate tokenization and other technologies to determine the need for further guidance and/or requirements.”
Jeremy King, European director of the PCI SSC, said the process is challenging because not all cards have a 16-digit primary account number (PAN). Some Tokenization methods are more applicable than others according to the card in question. Some tokens try to preserve the format of the original PAN in order to maintain compatibility with internal processing applications, while other approaches may generate a new truncated or randomised number, King said.
“Systems that allow you to get back to the PAN need to be properly protected, and are in scope,” King said.
Tokenisation can have a dramatic reduction on the requirements of PCI DSS. In simple terms if a Merchant has no credit card data stored the scope of PCI DSS is reduced.
For the majority of Merchants reducing the scope of PCI DSS by not storing Credit Card Data can mean the difference between a relatively simple Self Assessment Questionnaire (SAQ) e.g. SAQ A and the highly complex and extremely difficult SAQ D.
The PCI SSC Tokenization Information Supplement can be downloaded here.