We’ve been closely following all the revelations about the recent massive credit card breach at Target stores in the U.S., which was soon followed by news of credit card theft from Neiman Marcus and Michael’s stores. Corey Nachreiner has done a great job of summarizing the chain of events in a recent blog post.
It is likely that all the retailers such as Target, Michael’s, and Neiman Marcus, had passed their PCI compliance audits. But, malware was used to scan credit card data from RAM of the Point of Sale (POS) systems, and it looks like the hackers broke into the IT infrastructure at Target using some stolen 3rd party vendor credentials. The net result is that consumer confidence in the safety of credit card data is probably even lower today than it was back in 2004, when the PCI standard was first introduced. In the wake of these breaches, many people, including Gartner analysts, have been asking if the PCI standard is worthwhile.
PCI is not the panacea for all credit card loss. It is a basic set of security controls that codifies common sense security practices. Compliance is not security. Passing an annual audit for the PCI standard does not guarantee the safety of your customers’ data. Much like getting a driver’s license does not mean that you will never crash a car. You need to remain always vigilant.
It is debatable if the standard is adapting fast enough, but it is still important for affected security pros to stay current with latest updates. To help you, WatchGuard has just finished a new webinar on credit card security and the updates to PCI DSS 3.0 titled, “Closed to Risk, Open for Business.”
PCI DSS is a fairly mature standard now. Most of the changes in PCI DSS version 3.0, which was published in November 2013 and took effect in January, are in place to clear up any points of confusion between QSAs and the companies that they audit.
In fact, 62 of the listed changes are Clarifications, another 5 are Additional Guidance, and there are 19 more significant updates that fall in the category of Evolving Requirements. The Evolving Requirements are probably the most significant, and some of the key new areas of emphasis include:
- Combined password strength requirements.
- Relationship and responsibilities of third party vendors and cloud providers.
- Better documentation of the scope – Network diagrams should not include cardholder data flows; Maintain an inventory of systems in scope, and an inventory of wireless access points.
To find out more details about PCI DSS and what’s new in version 3.0, you can watch the full WatchGuard webinar here.