Bluefin’s Chief Executive Office, John M. Perry, and Chief of Strategy, Ruston Miles, recently attended the PCI Europe Community Meeting in Barcelona to learn about the latest in payment trends and PCI standards.
The three days of discovery, with updates and insights from regional community figures, merchants, and members of the Council, was kicked off by Jeremy King, International Director of the PCI SSC, with his keynote address on PCI’s Strategic Initiatives for 2017. The session provided an update on the latest Council news, insights into the current and future payment security landscape, and discussed the Council’s vision for the coming years.
One of the key PCI initiatives for 2017 was discussed in detail by PCI Chief Technology Officer, Troy Leach. Leach’s session PCI and the Next Generation of Payment Security, reviewed what security trends the PCI EU attendees should expect to see in the future.
There are three areas, Leach said, where PCI Standards are evolving, including improved authentication, better software design for today’s many payment options, and increased security accountability for third-party vendors. Within all three areas, Leach said, there is a shared responsibility.
“From the development to the installation of payment products to the ongoing monitoring for malicious attacks, security remains a shared responsibility. Whether it is a software developer, cloud administrator or someone installing a POS for a merchant down the street, there should be a recognition of the accountability each service provider to protect payment data to the best of their ability and be able to demonstrate that level of effort to their business partners.”
Improved Authentication
Authentication is the process of verification that an individual, entity or website is who it claims to be. Authentication in the context of web applications is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know.
How is PCI SSC addressing this area? The PCI SSC enhanced requirements for multi-factor authentication (MFA) published guidance earlier this year on the proper use of MFA for preventing unauthorized access to computers and systems that process payment transactions. Additionally, the PCI SSC announced two new PCI Standards to further enhance the security of 3DS infrastructures and transactions.
As Ecommerce has evolved, consumers are no longer just going to the store to buy their goods – they are now buying within the comfort of their own home, using their smartphone or home computer to place the order. Additionally, more advanced Ecommerce technology, such as smart speakers and virtual assistants, are on the rise, expanding the Internet of Things (IoT) options for merchants and consumers.
These advances have also created opportunities for cybercriminals to expose the payment information that is contained within smart devices. In fact, a recent Verizon Business report revealed that 81% of hacking-related data breaches exposed weak, default or stolen passwords.
Leach addressed the significance of these vulnerabilities in his session, stressing that “as criminals continue to target valid credentials like passwords, authenticating the user, the payment transaction and the integrity of the payment instrument will become increasingly important.”
Better Software Design for Modern Payments
Leach also pointed out that better software design is important to payment security because of the growing dependence on software to manage all aspects of payment transactions and the relationship between cardholders, merchants and their financial partners.
Good software design begins with confirming that application developers are aware of trends in cybercriminal activity against payment data and are trained in the best practices to minimize risk in the design of future code. It also requires CISOs to manage their third-party relationships to have adequate oversight and/or agreements that the vendor will continue to monitor for future threats as well.
The PCI SSC is currently working on standards to address secure design and development of payment software, with the intent to address the pace of change in modern software development and promote software lifecycle awareness while maintaining integrity and transparency of payment security within the code design.
Security Accountability for Third Parties
While organizations traditionally focus on security within their own boundaries, they often function by using other businesses, such as third party vendors, as their partners and using their resources to perform other business functions.
Third-party vendors are members of a wider group of individuals or entities with special access to IT networks called privileged users. These individuals are one of the most treasured targets for hackers looking to infiltrate sensitive information because of their elevated level of access. Privileged credentials pose challenges for organizations in a number of ways — even companies with a sophisticated security strategy may not have a great grasp on how to define who represents a “privileged” user.
Due to the many reported breaches involving third-party hacks, it is now obvious that these third parties can be a portal for threat actors to use to compromise a company’s sensitive information.
PCI SSC is prioritizing security accountability for third parties in a number of ways:
- PCI DSS 3.2 introduced additional ongoing testing for third party service providers to demonstrate ongoing security, so that customers relying on those services can have more confidence in the security of the payment environment.
- The Qualified Integrator Reseller (QIR) program helps address a particularly vulnerable link in the payment chain – the installation and maintenance of payment systems. Improper and insecure setup – failure to change default passwords or turn off remote access as examples – continue to be leading causes for breaches.
- As part of its focus on software security, the PCI SSC is prioritizing software developer education, so that merchants can have confidence in the security of the products they are using.
The Ponemon Institute recently published a report sponsored by the risk firm Opus entitled “Data Risk in the Third-Party Ecosystem” that addressed just how much of a problem third parties posed to a company.
Talking with 625 individuals who were thought to be familiar with the details of their organization’s third-party risk management posture, Ponemon discovered that 56% of those responding had suffered a third-party data breach in the last year, which was a 7% increase over the previous year.
Leach addressed the importance of third party accountability in Barcelona, as businesses rely more and more on the outsourcing of services and software they operate within their enterprise.
Point-to-Point Encryption (P2PE) as Part of the Security Equation
Like many previous PCI Community Meetings, there was continued discussion on the importance of PCI-validated P2PE in Barcelona.
A P2PE solution is a combination of secure devices, applications and processes that encrypt data from the point of interaction (for example, at the point of swipe or dip) until the data reaches the solution provider for secure decryption.
In another session led by Troy Leach, Payment Security Areas to Watch, he pointed out that encryption technology provides lots of opportunities for securing payment data, and that he was encouraged by the rise of encryption used in payments.
Bluefin’s PCI-Validated P2PE solution devalues the data, encrypting credit and debit cards at the Point of Interaction or device terminal, preventing clear-text cardholder data from being present in a merchant or enterprise’s system or network where it could be accessible in the event of a data breach.
Implementing a validated P2PE solution also reduces the number of applicable PCI DSS requirements by fully removing clear-text cardholder data from the merchant’s payments systems.
Bluefin’s Presence at the PCI Europe Community Meeting
Bluefin’s Perry and Miles were also joined at the PCI Europe Community Meeting by former General Manager of the PCI SSC, Stephen W. Orfei. Orfei recently joined Bluefin’s Product Advisory Council to provide strategic guidance and feedback on the company’s payment security and P2PE product expansion.
Like Bluefin, Orfei is a believer in devaluing the data.
“We cannot prevent our systems and networks from being breached – but we can devalue the data, making it useless in the hands of criminals, organized crime and state-funded actors. Bluefin’s encryption and services do exactly that by helping merchants and service providers get connected, encrypted, and protected,” stated Stephen W. Orfei.
As a Participating Organization (PO) of the PCI SSC since 2006, Bluefin has worked closely with the PCI over the years to advance point of sale and Ecommerce payment security.
To learn more about the sessions presented in Barcelona, check out PCI Perspectives, and learn more Insights, information and practical resources to help your organization protect payment data.