If your organization stores, processes and relays sensitive credit card and customer information, security should be your prime concern. Major brands credit card companies such as MasterCard, Visa, Discover, American Express and JCB International, recognized a need for security standards for the personal and financial information of their consumers. They believed that by increasing the controls surrounding a card holder's data, they could potentially reduce credit card fraud. Thus, they collectively founded the group known as Payment Card Industry Security Standards Council in 2006. Aside from its other responsibilities, the council was to primarily administer Payment Card Industry Data Security Standards (PCI DSS). While the council manages the PCI DSS, the payment brands are true enforcers of these standards.
The PCI DSS encompass all issues beginning from the card data being entered into a system, data processing and ending with newly developed applications for secure payments. The standards lay down policies and procedures for network architecture, security management and software design. As an organization seeking to comply with PCI DSS requirements, you should:
● Create and support a network that is secure
● Protect the data of cardholders
● Enforce unyielding access control measures
● Monitor and evaluate your networks regularly
● Provide support for policies on information security
With time, PCI DSS have also matured to keep in line with the vulnerabilities and latest threats that can breach security. As we welcomed the New Year, version 3.0 of PCI DSS was released by the Council and came into effect on January 1, 2015. All organizations that care about keeping customer data safe and employ best practices have already began working on achieving compliance with the 3.0 standards. Compliance to standards provides an organization with a shield for damages that a breach in security can cause. No one wants to risk their business, corporate image, and most importantly the privacy of their customers.
However, the release was not set to counter the true security crises that emerged in mid and late 2014. The Heartbleed bug essentially allowed just about anyone present online to read and scan through the memory of OpenSSL protected systems. Attackers were able to eavesdrop on sensitive communications, directly steal data and impersonate users. Later, the Shellshock flaw threatened to wreak immense havoc. This presented hackers control of vulnerable machines, opportunities to steal data, ability to shut down entire networks and caused a myriad of other problems. While Heartbleed was only affecting servers, Shellshock was able to affect most devices connected to the internet including MP3 players, digital cameras and even traffic lights! This attack was also able to self-replicate and possessed the means to spread through systems and devices like an epidemic. Finally, there were the banks, credit agencies, and investment firms that fell victim to the POODLE bug. Attackers were exploiting flaws in SSL 3.0 to decrypt any encrypted transaction and extracted information to impersonate legitimate users.
A Reviewed Version
As organizations worldwide dealt with these catastrophes, the Council together with other stakeholders in the security industry set out to understand how to patch such gaping holes in security measures. Subsequently, in February 2015, the Council announced a revision that was to be expected in PCI DSS. After being published on 15th of April, PCI DSS 3.1 became immediately effective. As many organizations had worked hard to adopt the previous standards, version 3.0 was to be retired by 30th of June.
One of the main changes of the revised PCI DSS 3.1 has been the abandoning of a security protocol once favored for encryption. It was determined that Secured Socket Layers (SSL), which was a tool that encrypted server and client communication, could no longer be depended upon. SSL was compromised because of its inherent flaws and was not able to offer complete protection of data privacy. Basically, an everyday tool that users used to transact and communicate had the capacity to inflict severe damage. As a result, there has been an adoption of the latest release of the Transport Layer Security (TLS) 1.2 protocol. TLS protocol is also a medium which protects data that is sensitive in nature when it is being distributed electronically across multiple networks. TLS 1.3 is in development; it is being aimed to mitigate all issues related to encryption and provide additional measures against exploitation.
If you've taken the time out to learn about PCI DSS 3.1, it is easy to deduce that you belong to an organization with foresight and genuine concern for your customers’ privacy. You evidently want to ensure the safety of your customers' financial information and want to protect them against fraud. Thus, it is imperative that you consider the new requirements of PCI DSS 3.1 and accordingly implement these changes.