Updates on the State of PCI Security Standards from the 2019 PCI SSC North America Community Meeting
Our cybersecurity team attended the 2019 PCI SSC North America Community Meeting in September in Vancouver to hear updates on PCI industry trends, as well as insights and strategies on best practices.
The PCI Standards continue to evolve as real-world threats and vulnerabilities advance. Many of the messages delivered during the Community Meeting focused on current and future threats. Below are four important takeaways from the North America Community Meeting on the current and future state of payment card security:
- Card-present attacks are on the decline and card-not-present attacks are on the rise. The most common card-present attack is card skimming. With the wide-spread implementation of EMV (cards with chips on them), fraud has reduced significantly in this area. Card-present attacks are risky because it requires the attacker to be physically present, invest in hardware to read cards and to return to the scene of the crime to download skimmed cards. Because of these disincentives for the attacker, there has been a rise in e-commerce skimming attacks. In August 2019, PCI SSC issued a security bulletin for web payments, specifically on how to protect against “MageCart” attacks.
- Card payments have become more reliant on software. It wasn’t long ago that our credit card machines were very simple. Today, payment terminals are all-in-one machines that can both run your business and take payments. PCI has developed a Software Security Framework to provide guidance on how to securely develop payment software and protect against e-commerce attacks.
- PCI DSS v4.0 will provide more flexibility in meeting PCI compliance. One criticism of the PCI DSS is how rigid some of the requirements can be. The Council has learned from rounds of Request for Comments that offering flexibility in compliance is key. In a preview of the standard, the Council will provide an alternative assessment by using objective-focused requirements. Another security framework that uses objective-based security is the SOC (System and Organization Controls). This may make it easier for service providers to achieve both PCI and SOC compliance in the future.
- Your credit card number will eventually go away. Apple’s new credit card is the first card to take this leap. The card uses dynamic cryptography for authentication and authorization. So even if an attacker captures that payment data, it won’t be useful for future transactions. Keep an eye out for adoption in other countries, since US merchants will likely lag in implementation.
What does this mean for merchants? The good news is that there are people working hard to make it easier for merchants to meet PCI compliance and reduce the likelihood of card fraud. The bad news is that the payment landscape is changing rapidly and requiring constant investment in payment technologies.
To learn more about our comprehensive cybersecurity and data privacy services, please contact Bill Gogel, Advisory Services Manager, at firstname.lastname@example.org or 314.983.1363.