In recent years, the annual PCI Community Meetings (both here in the U.S. and abroad) have served as an important forum for discussing and gaining a stronger understanding of payment data security best practices and requirements. With the planned release of version 3.0 of both the PCI DSS and the PA-DSS in November 2013, this year’s North American PCI Community Meeting was abuzz with conversation of what is to come.
Here are my five key takeaways from the 2013 North American Community Meeting:
- Recent breach trends have influenced the Council’s focus with PCI DSS 3.0 – Weak passwords, improper scoping of the cardholder data environment, Web application vulnerabilities and third-party slipups are some of the key security issues that commonly contribute to cardholder data breaches. Each of these issues will be proactively addressed in the requirements updates of version 3.0, so that merchants and merchant service providers (MSPs) can shore up their defenses where cyber attacks are really occurring.
- Penetration testing is a big deal – Penetration tests simulate the very real dangers of a cyber criminal actively attacking a business’s IT systems/Web applications in an attempt to bypass its countermeasures; therefore, it’s extremely important for the penetration tester to use methodology that’s consistent with industry best practices. The SSC will recognize the importance of a properly-conducted penetration test by providing further clarification within section 11.3 of the DSS.
- Windows XP is no big deal right now, but it will be come April 2014 – PCI Community Meeting attendees had much to say about Microsoft’s April 8, 2014 end-of-life date for its Windows XP operating system. The well-founded concern is that, once support ends, the POS systems utilizing it will represent “fresh meat” to cybercriminals because known vulnerabilities will not be patched. Some have estimated that as many as one-third of the POS systems in use by U.S. business owners are currently running on Windows XP.
- The Council is up to speed on EMV, and no, it will not negate the PCI DSS – It was encouraging to see how closely the SSC is working with EMVCo to understand and integrate payment security best practices as the U.S. progresses with EMV technology adoption. EMV is proven to deter counterfeit fraud such as skimming, as well as fraud from lost and stolen cards, but there has been an uptick in card-not-present (CNP) fraud in countries where widespread EMV adoption has already taken place.
- It really is all about removing complexity for the SMB merchant – A lack of dedicated IT and security resources as well as common missteps (see point #1 above) make small and mid-sized merchants an easy target for cybercriminals. PCI Community Meeting attendees shared a common interest with the Council to better assist these merchants in understanding and complying with the PCI DSS. It was invigorating to be a part of the discussion and to know that in doing so, I am a part of the solution.
Want to learn more about payment security and compliance for your business? Click here or give us a call at 1-800-825-3301 x 2. We’d be happy to help.