Version 3.0 is a watershed moment, as the PCI Security Standards Council has made great strides in stressing that the Standard should help campus merchants "make payment security a part of their business-as-usual activities by introducing more flexibility, and an increased focus on education, awareness and security as a shared responsibility."
COMPLIANCE VS. SECURITY
I have been involved with the PCI DSS since its inception (in the early 2000s), and during that time I have seen many colleges and universities confuse "compliance" with the DSS as the same as reaching "security." Since there are still some very public breaches and compromises every year, we have to ask: Is compliance the same as security? Let's agree on the terms "compliance" and "security" first.
Compliance programs merely include controls that are considered by a regulatory body to represent the minimum requirements to which an organization (e.g.,campus) should adhere to given the risk to data. Compliance with relevant standards (PCI DSS, HIPAA, FERPA, GLBA, etc.) is important and necessary, and they can help colleges and universities develop useable frameworks and policies. However, compliance alone should never be considered the final answer on security-nor should compliance be considered a measuring stick by which campuses evaluate their security posture. You can pass an audit and still be vulnerable to an attack.
Security can be described rather simply as the implementation of controls to counter or address vulnerabilities or threat to the asset being protected. Bob Russo, general manager of the PCI Security Standards Council, says "Though a company might be certified as PCI compliant, it's important to remember the compliance certification is just a snapshot in time. You can be in compliance today and totally out of compliance tomorrow, because of a failure to implement some small security measure. This is really about security-not about compliance. These (the PCI controls) are the bare minimum things you should be doing."
A simple example can be seen in your own home. If you install a lock on the front door, you are implementing a control (the lock) to address vulnerability (an unlocked door) and a threat (that an unauthorized person will enter). The assets being protected include the personal safety of you and your family, your assets and even your privacy.
Checking off mundane procedures tempts security professionals to become complacent. Complacency creates security gaps. It is incumbent upon an organization to ensure that the security team does not lose sight of the objective and focus. In fact, organizations serious about security make it an enterprise-wide priority. They formalize and enforce corporate security policies, rather than simply seeking to ensure compliance with external standards. They prioritize employee education alongside technology deployment and they build defenses into every layer.
Troy Leach, CTO of PCI SSC, explains that there is a real emphasis in the new standard on the process of making things secure. When it comes to PCI-DSS testing, the testing is now intended to make sure that the process is secure, rather than just making sure a company has a specific security technology in place. "We have incorporated policy and ongoing risk assessment throughout the standard," Leach said. "What that does, especially in large organizations, is it helps to achieve more consistency around process-oriented controls. There is also more of an emphasis on having an ongoing responsibility that extends beyond just the point-in-time when a PCI-DSS audit takes place."
WHY IS THIS SO DIFFICULT FOR HIGHER EDUCATION?
Information security is a particularly difficult task for colleges and universities because there are unique aspects of higher education that sometimes compound achievement. The campus environment is markedly different from more traditional merchants for a variety of factors. First, the open nature of the college/university physical and technical environment is distinct. Second, departmental decentralization can sometimes inhibit central policy enforcement. Third, colleges and universities that offer a data-rich information system create a natural target. Fourth, there are now more sophisticated intruders, with potential criminal intent. Fifth, an over-loaded IT staff could prevent or delay focus on security measures. Sixth, there are numerous independent payment systems across the campus. Finally, there may be fiscal constraints.
A survey of colleges and universities taken for the 2014 PCI Workshop put on by the Treasury Institute for Higher Education revealed a very interesting phenomenon: prior to the conference, 48% said their campus was compliant, but after three days of training on what being compliant really means, the same respondents when asked reported fewer than 10% were actually in compliance.
BUSINESS AS USUAL
"Version 3.0 will help organizations make payment security part of their business-as-usual (BAU) activities by introducing more flexibility, and an increased focus on education, awareness and security as a shared responsibility," the PCI Council says. "Overall updates include specific recommendations for making PCI DSS part of everyday business processes and best practices for maintaining ongoing PCI DSS compliance; guidance from the Navigating PCI DSS Guide built in to the standard; and enhanced testing procedures to clarify the level of validation expected for each requirement."
The PCI SSC is hoping that by building the controls into organizations' BAU, then the biggest problem in maintaining compliance will be diminished. Examples of how PCI DSS should be incorporated into BAU activities include-but are not limited to-the following:
• Monitoring security controls to ensure that they are operating effectively and as intended.
• Ensuring that all failures in security controls are detected and responded to in a timely manner.
• Reviewing changes to the environment prior to completion of the change.
• Changing organizational structure should result in a formal review of the impact to the PCI DSS scope and requirements.
• Reviewing and communicating to confirm that the PCI DSS requirements continue to be in place and personnel are following secure processes.
• Reviewing hardware and software technologies at least annually to confirm that they continue to be supported by the vendor and can meet the organization's security requirements, including PCI DSS.
The PCI DSS is about protecting cardholder data. This can only be achieved if security best practices are applied on a daily basis. Although the PCI DSS is only audited annually, security can only be achieved when the controls are implemented as business as usual. To ensure adherence to the Standard (and therefore certification) organizations need to record evidence of everyday use of the controls that the Standard mandates.
The question that the new standard will help merchants to answer is "Do we have the culture to protect our customers' cardholder data every day and every hour that we're doing business?"
Information security can be challenging, as it requires both consistency and adaptability. That is surely a difficult balance to achieve. However, as breaches continue to take center stage among the boardrooms, media, and regulators, achieving that balance is more important than ever.
is president and co-founder of CampusGuard, A QSA firm dedicated solely to assisting higher education with PCI compliance and security as well as other personally identifiable information. Ron is also the co-chairman of the Treasury Institute for Higher Education's annual PCI Workshop.