Az új fizetési biztonsági szabványok frissítéséből hiányzik a sürgősség érzése (Donnie MacColl)

As COVID hit businesses around the world, and shops were either closed or no longer accepting cash as the preferred method of payment, we saw a dramatic increase in payment card data volume. Fast-forward to today, and the volume of online transactions and
use of point-of-sale machines continue to soar. As most of the data is held in the cloud, the opportunities for cyber-attacks are spiking at the same time, which means that the previous version of the Payment Card Industry Data Security Standard (PCI DSS)
már nem elegendő.

Since 2004, the PCI DSS has ensured that organisations processing or storing credit card information can do so securely. After the pandemic, the guidance on security controls was in urgent need of an update. This is when the new version – PCI DSS v4.0 –
was announced. While companies have two years to plan their implementation, most financial businesses must have everything in place by March 2025. However, there is a risk of working to a long-lead deadline as it fails to create a sense of urgency, and many
of the security updates included in the new standard are practices that businesses should have already implemented.

For example, “8.3.6 – Minimum level of complexity for passwords when used as an authentication factor” or “5.4.1 – Mechanisms are in place to detect and protect personnel against phishing attacks” are listed as “non-urgent updates to implement in 36 months”.
With the high level of cyber threats following the Russian-Ukrainian conflict, this timeframe isn’t fast enough to raise the level of cyber protection needed by financial institutions and retail businesses which poses a real threat to customer data and privacy.

Hogy még tovább bontsuk, van néhány fontos és érdekes szám, amelyek mind a hatályát, mind a korlátait szemléltetik:

• 51 és 2025 szemléltetik a PCI DSS V4.0-val kapcsolatos alapvető problémákat – az 51 a „legjobb gyakorlatnak” minősülő javasolt változtatások száma jelen és 2025 között, amikor hatályba léptetik, azaz három év múlva!

Let’s look closer at the 13 immediate changes for all V4.0 assessments, which include items such as “Roles and responsibilities for performing activities are documented, assigned and understood”. These comprise 10 of the 13 immediate changes, which means
the bulk of the “urgent updates” are basically accountability points, where companies accept that they should be doing something.

És most nézzük azokat a frissítéseket, amelyeknek „2025 márciusáig kell hatályba lépniük”:

• 5.3.3: A rosszindulatú programok elleni vizsgálatot cserélhető elektronikus adathordozó használatakor hajtják végre

• 5.4.1: Mechanizmusok állnak rendelkezésre az adathalász támadások észlelésére és védelmére.

• 7.2.4: Ellenőrizze az összes felhasználói fiókot és a kapcsolódó hozzáférési jogosultságokat megfelelően.

• 8.3.6: A jelszavak minimális bonyolultsági szintje, ha hitelesítési tényezőként használják őket.

• 8.4.2: Többtényezős hitelesítés a CDE-hez (kártyabirtokos adatkörnyezet) való minden hozzáféréshez

• 10.7.3: A kritikus biztonsági vezérlőrendszerek meghibásodásaira azonnal reagálnak

These are just six of the 51 “non-urgent” updates, and I find it unbelievable that the detection of phishing attacks and use of anti-malware scans are part of that list. Today, with phishing attacks at an all-time high, I would expect any global financial
institution with sensitive data to protect to have these in place as essential requirements, not something to have in place in three years’ time.

Despite the threats of huge fines and the risk of having credit cards as a payment method withdrawn if organisations failed to comply with PCI standards, only a few penalties were actioned so far. Waiting a further three years to implement the new requirements
contained within V4.0 seems to imply a lack of ownership that some of the changes deserve and is far too risky.

I appreciate that it does not mean companies have not already implemented some or all of the updates. However, for those who have not, actioning those updates will require investment and planning, and for these purposes, PCI DSS V4.0 needs to be more specific.
For example, if security failures need to be responded to “promptly”, does that mean 24 hours, 24 days or 24 months? I believe that stakeholders would be much better served with more specific deadlines.

While PCI DSS V4.0 represents a good basis for moving the standard forward, it should have been implemented with greater urgency. Granted, there are a lot of changes to address, but a better strategy would be to adopt a phased approach, i.e. prioritise changes
required immediately, in 12 months, 24 months and 36 months from now rather than say they must all be effective in three years’ time.

Without this guidance, it’s likely some organisations will shelve these projects to be looked at in two years’ time when the implementation plan deadline approaches. However, in an era when payment card crime continues to be a ubiquitous risk, there is little
to be gained from delay.