PCI DSS update should better define risk assessment requirements, says information security expert

Out-Law News | 13 Sep 2013 | 3:06 pm | 2 min. read

Retailers are using new technology in payment systems without being forced to undertake sufficiently strict risk assessments, an information security expert has said.

Michael Aminzade, director of delivery for EMEA and APAC at information security provider Trustwave, told Out-Law.com that proposed new upgrades to the Payment Card Industry Data Security Standards (PCI DSS) do not set sufficiently strict obligations on retailers to assess risks associated with introducing new technology into payment systems.

"Organisations are generally embracing technology, with mobile tablets and devices increasingly replacing traditional 'point of sale' devices," Aminzade said. "Technology has been developed quicker and adopted quicker over the last five years, but the management of that technology – the skills and resources – is lacking."

Consumer demand and behaviour has prompted the adoption of mobile technology in payment systems, but proposed upgrades to PCI DSS requirements for retailers would not oblige them to evaluate that technology's risks sufficiently, Aminzade said.

Last month the Payment Card Industry Security Standards Council (PCI SSC) announced plans to update the existing PCI DSS framework. PCI DSS is the main standard for storing payment card data and it sets out 12 requirements specifying steps which should be taken to ensure payment card data is kept safe both during and after transactions.

Final PCI DSS version 3 rules are not expected to be publicly released until November, but the PCI SSC said that they would include "more rigorous testing procedures for validating proper implementation of requirements will help organisations drive and maintain controls across their business".

Under existing requirements organisations handling payment card data are required to conduct an annual risk assessment. However, Aminzade said that those requirements should be expanded under PCI DSS 3.

The scope of risk assessments, the framework in which they are conducted, the qualifications required by those undertaking the assessments, the internal risk reporting requirements and who within an organisation should be permitted to accept and approve risks should all be defined within the risk assessment rules under PCI DSS 3, he said.

"The requirements should state that organisations should use an industry recognised framework [for conducting risk assessments]," Aminzade said. "People performing risk assessments should be industry certified."

Internal risk assessments should be performed by suitably skilled and qualified individuals, in accordance with an industry standard, and the internal risk programs organisations deploy should be subject to "external validation", he said.

"The [PCI DSS] standard should reference that an industry level certification should apply," Aminzade said. The standard should not, though, specify which certification scheme should be used, although there are existing external certification schemes that businesses could use, he said. These include the ISO risk framework and ISACA's certification program.

Under the ISACA program, people can obtain a 'CRISC' qualification that shows they are "suitably qualified to review an organisation's risk management and information security controls", Aminzade said.

Aminzade said the "lack of requirements around risk management" within the PCI DSS regime presents a "huge area of risk that needs to be addressed". This is particularly pertinent given the increasing move to mobile payment systems and retailers' reliance on technology outside of their control, he added.

According to Trustwave's 2013 Global Security Report, the company found 400% more samples of mobile malware affecting Google's Android operating system in 2012 in comparison with the year previously.

Aminzade said that the "mobile ecosystem" contains a potentially "hostile security environment" where there are risks outside retailers' control. This is in part due to the fact that hardware vendors, as well as operating system and third party application developers are all involved within the ecosystem, he said.

"There is this hole between organisations putting in correct level of risk management and framework and the level of skills in the organisations to deliver appropriate risk visibility and management," Aminzade said.

Organisations need to be able to mitigate or accept the risks they identify, although accepting risks requires businesses to understand the potential impact on both themselves and consumers if things go wrong, he said. The updated PCI DSS requirements should set "a minimum level" of risk management that should be "unacceptable not to comply with", he added.

Aminzade said he expects a new data security standard to be established by the PCI SSC to deal with the specific issue of mobile payments.