By Paul Mazzucco, Xand Chief Security Officer

With the latest round of credit card and personal data breaches in the news, the release of the new PCI DSS 3.0 Security Standard is timely indeed. The overall need of data service providers in every level of the transaction process to develop security best practices is now more important than ever.

With Version 3.0, the PCI Security Standards Council (PCI SSC) focuses on flexibility, education, awareness, and security as a shared responsibility. There are several important changes taking place in the jump from Version 2.0 to the new 3.0 framework, and IT Decision Makers will want to make sure their infrastructure and service providers are up to date to ensure maximum levels of security for their critical data.

Key drivers for PCI DSS Version 3.0 include an overall lack of education and awareness from the Council in terms of coverage responsibility, especially in terms of emerging technologies such as Cloud and Virtualization. Weak passwords and authentications challenges, third party security, slow self-detection in response to malware and other threats, and an inconsistency in assessments were also factors in the update.

When surveying the PCI DSS landscape, it’s critical for those charged with protecting cardholder data to be aware of the multiple access points to their information and where responsibility falls when working with complex infrastructure systems.  The PCI Council sets various standards and benchmarks for manufacturers, developers, and providers. For example, at Xand our data center facilities fall into the Service Provider category. This places our company under the PCI Data Security Standards (PCI DSS) umbrella.  When searching for a managed services provider, be sure that the level of PCI classification is clearly provided upfront, as this is vitally important in determining lines of demarcation in data protection responsibilities.

Lack of knowledge around payment card security and, more telling, poor implementation and maintenance of the PCI standards are huge contributing factors in why security breaches happen. In my role as Chief Security Officer, I spend each day working to make sure Xand’s systems are up to date with the latest compliances. Although the PCI DSS standards serve as a great guide against which we test ourselves, building an overall security policy and a proper employee training program is key to make sure that the human element of our security standards remains tight. Standards of security are unfortunately always playing catch-up against the newest attack vectors and companies cannot simply allow a stamp of compliance to govern their security mandates.

Security is a dynamic field, and those who rest on their laurels often find themselves quickly exposed. When dealing with outsourced solutions providers or managed services vendors, don’t just accept a logo on their website as a rubber stamp for security. Be sure to ask what version of the compliance they adhere to, when the last update was conducted, and how often the organization undertakes audits. These criteria separate the wheat from the chafe in IT security. 

In regards to PCI, the PCI Security Standards Council has made several important improvements in the PCI DSS certification in version 3.0. The updated version of PCI DSS tackles the following:

  • Provide stronger focus on some of the greater risk areas in the threat environment
  • Provide increased clarity on PCI DSS & PA-DSS requirements
  • Build greater understanding on the intent of the requirements and how to apply them
  • Improve flexibility for all entities implementing, assessing, and building to the Standards
  • Drive more consistency among assessors
  • Help manage evolving risks / threats
  • Align with changes in industry best practices
  • Clarify scoping and reporting
  • Eliminate redundant sub-requirements and consolidate documentation

Ask your provider which version of PCI DSS they are certified for. Version 2.0 will be supported until December 2014 and many companies will hold off on updating until the last possible moment. With greater transparency and a more nuanced approach to Cloud, Virtualized, and Multi-Tiered environments, taking the extra steps to ensure your provider is up to date with PCI DSS Version 3.0 may save some tremendous security headaches down the road. Updating frameworks can be a cumbersome process, but I felt it was of upmost importance to secure the latest PCI DSS update for Xand to give our clients the maximum level of protection available. Xand is privately owned and funding is in place to fully support security initiates. However other providers may be hampered by financial restraints, operational shortfalls, or simply a lack of expertise to keep up on the vast changes coming from PCI.

In addition to maintaining a wide scope of compliances and managing several security systems, I’m often called to take part in client meetings at Xand, where I answer questions and scope out security concerns. The point here isn’t to outline my day (busy!) or sell you on Xand (although we love new customers!) but rather to highlight the importance of having dedicated in-house security personnel. Not every Cloud or Managed Services Provider is in a position to have such dedicated security resources. Use this as another benchmark when seeking a partner for PCI DSS compliant systems.

Overall, the jump from PCI DSS Version 2.0 to 3.0 is an important one, not just for MSPs but for the industry as a whole. Even those who don’t deal directly with cardholder data would do well to seek out infrastructure solutions partners who adhere to PCI DSS mandates, as the practices set forth by the framework can do much to hedge against the risk of a unmitigated security disaster.