Monday, November 24, 2014

PCI DSS Evolution - Best Practices

[Here is another in our series of  posts from Joe Tinucci, Assistant Treasurer of the University of Colorado. The best practices Joe discusses today focus on supplemental guidance published by the PCI Security Standards Council. Thanks for these great reviews, Joe! --gaw]

I mentioned in my last column about the activity at the PCI Security Standards Council's North American Community Meeting that there was a lot of discussion of how the PCI DSS will be evolving. Most of that conversation focused on three areas: continuous compliance, greater assurance, and the adoption of best practices.  In this post, I want to look at the current best practices guidance documents issued by the Council as one way of predicting how the standard will evolve.
All of these documents can be found at the PCI SSC website, in the PCI Standards Documents Library;, under the Fact Sheets & Info Supps tab.

Best Practices for Implementing a Security Awareness Program

This is the most recent document issued by the Council to assist organizations in complying with Requirement 12.6 for a formal security awareness program.  What I find most interesting about this document is how detailed and prescriptive it is - it does a very good job of laying out the specific topics on which staff should be trained at which level of responsibility.  In addition, this guide discusses metrics to measure the effectiveness of the training program.  Finally, it provides a Security Awareness Program Checklist for use in managing your program.  With this much specific guidance, I see how it could easily be integrated into Requirement 12 of a future version of the standard.

PCI DSS V3.0 Best Practices for Maintaining PCI DSS Compliance

This document is intended to present best practices for maintaining PCI DSS compliance AFTER a merchant organization has already successfully achieved compliance.  It appears that almost 90% of compliant organizations fail to maintain their compliance by the time the next self-assessment takes place; this is reason enough to rethink how we approach security (which is the goal of this entire process rather than simple compliance).  In effect, this document serves as a roadmap for making compliance your risk-based, measured, business-as-usual practice rather than a once-a-year event.  Since this is the direction in which the standard appears to be evolving, this document points to future new features such as ownership for coordinating security activities, continuous monitoring of security controls, development of performance metrics, and better risk assessment processes.

- Mobile Payment Acceptance Security Guidelines for Merchants as End-Users v1.1
- Mobile Payment Acceptance Security Guidelines for Developers v1.1

The first of these two Guides provides merchants with best practices for accepting / processing payments on mobile devices; the second does the same for app developers.  While the world of mobile devices is constantly changing, these guides focus on three main objectives that remain true no matter the underlying technology:
  • Prevent account data from being intercepted when entered into a mobile device
  • Prevent account data from compromise while processed or stored within the mobile device
  • Prevent account data from interception upon transmission out of the mobile device
As merchants see more mobile payments (and requests for mobile payment acceptance), expect these best practices to evolve as well as reappear as part of the next generation PCI DSS.

- Skimming Prevention: Overview of Best Practices for Merchants
- Skimming Prevention: Best Practices for Merchants

When the topic of skimming devices comes up, what automatically comes to mind -- at least for me -- is skimmers attached to ATMs or gas pumps.  This guidance covers far more than those two situations, including swipe card terminals and the placement of PIN-stealing cameras, and presents best practices for preventing and detecting tampering of physical equipment.  Many pictures of modified devices and checklists make these guides easy to integrate into your merchant processing practices.

Third-Party Security Assurance

As noted in a previous post, engaging a Third Party Service Provider (TPSP) does not absolve the merchant from being compliant.  Even if all cardholder activities are outsourced, the merchant is responsible for the proper vetting and selection of vendors as well as ensuring that they are compliant.  This guide focuses on due diligence in selecting an TPSP, correlating the services provided by the TPSP to the PCI DSS, written agreements, and monitoring.  This guidance will be particularly useful for those merchants in the SAQ A environment, where payment processing is outsourced to a TPSP but where the merchant is still responsible for being compliant, but it applies to all arrangements where a TPSP is engaged.

ATM Security Guidelines

This guidance is intended for ATM manufacturers, integrators, and deployers.  However, the sections on physical security and prevention of shoulder surfing might be of interest to ATM owners or others who have ATMs in their facilities.

There is one more guidance document still to come as a result of the 2014 Special Interest Groups (SIGs) -- Penetration Testing Guidance.  Of all the requirements of the PCI DSS, this one has been most problematic for our organization to understand and meet because good pen testers are few and far between.  This document should help organizations understand what they need to do, either internally if they have the appropriate skill set or through outsourcing this task to qualified pen testers.

The newest SIGs have been created to address:

- Daily Log Monitoring: Guidance on Effective Daily Log Monitoring, and
- Shared Responsibilities: Guidance on Determining Shared Responsibilities for Entities and Third Party Service Providers

I am looking forward to the output from both of these groups because I think that they address particularly problematic areas in the implementation of the PCI DSS. (

Finally, there are several guidance documents that originated out of version 2 of the PCI DSS but which are still useful:
  • eCommerce Guidelines
  • Mobile Payment Acceptance
  • Cloud Computing Guidelines
  • Risk Assessment Guidelines
  • Wireless Guidelines
  • Tokenization Guidelines
  • Virtualization Guidelines

While there are still numerous areas within version 3 of the PCI DSS that need clarification, the best practices and guidance documents above will help merchants make sense of the intent of the areas addressed and prepare for the evolution from best practices to requirements in future versions of the standard.

Joe Tinucci is the Assistant Treasurer at the University of Colorado, where he manages the University's banking relationships.  As part of that job, he also drives the PCI DSS compliance process for approximately 160 card-accepting merchants across diverse card-acceptance environments in four campuses. Joe can be reached at (303) 837-2185 or