It’s amusing to think the Vanilla Ice lyric, “stop, collaborate, and listen,” could be used to describe the 2018 PCI North America Community Meetings, but it’s quite appropriate. Each year, the PCI Security Standards Council conducts the popular industry conference and, each year, LBMC Information Security is on hand to discover new council initiatives, to learn new strategies for common compliance challenges, and to engage with solutions providers and fellow assessor organizations.
With all the ongoing activities associated with PCI compliance, it’s important to step away and evaluate the associated responsibilities and processes observed by merchants, service providers, and assessors alike. The Community Meetings give these organizations the opportunity to engage with each other, as well as with council staff members and card brand representatives. The idea is to cultivate an environment where all stakeholders are encouraged to…
The council’s central theme this year was “collaboration to help secure payment data.” Council leadership repeatedly emphasized their intent to gather input from the participating organizations represented at the conference to continually improve the various PCI security standards. Fellow standards bodies, including EMVCo, NIST, ASC, and CIS, participated in panel discussions to affirm their commitment to collaborating with the council toward consistency among the various standards. The council also encouraged participation in and committed to transparency throughout the Request for Comment process leading up to v4.0 of the PCI DSS. Altogether, the council demonstrated to the organizational community its intent to…
Among the most important aspects of the Community Meetings is the opportunity given to participating organizations to engage directly with the very folks who write and oversee the standards. In this year’s presentations, council staff demonstrated their willingness to listen to feedback and suggestions from the community as the standards evolve. Emerging standards and requirements, as well as clarification on existing requirements, appear to address common struggles organizations face in their compliance programs. Since 2016, the council has concluded each conference with an assessor Q&A session where QSAs and ISAs are given the opportunity to address a panel of council staff members. To their credit, the council has been receptive of compliance challenges of which they were unaware and of associated improvement recommendations. LBMC Information Security applauds the council’s receptiveness and is committed to contributing to this collaborative effort on behalf of our clients and the assessor community.
Software Security Framework
As addressed in several presentations throughout the conference, the role of security in application development must continue to evolve. Demands for more complex applications delivered in quicker time frames present organizations and their development staff with the all-too-familiar challenge of balancing usability with security. Add rigorous security controls to the mix, and organizations can understandably struggle with prioritizing meeting the demands of customers and those of their compliance obligations.
In accordance with the conference’s theme, a collaborative approach that involves development and security representatives—a new “DevSecOps” paradigm—was presented to ingrain security throughout the development process. This involves not only documented processes but, just as importantly, training developers in secure coding practices. For continual development, continuous integration (CD:CI) environments, the concept of “shifting left” or automating software changes was presented. Shifting left aims to automate application changes and associated separation of duties to minimize human interaction and the inherent security risks associated with these elements.
The council has clearly taken notice of the rise in attacks against payment applications, particularly web-based payment applications, and resolved to supplement existing DSS requirements for secure development procedures. The result is the soon-to-be-published Software Security Framework, which is intended to enhance organizations’ existing Software Development Life Cycle programs. The framework will consist of a Secure Software Standard and Secure Software Lifecycle Standard. Like other standards, these will include requirement modules and, ultimately, will serve as the framework for new application validation programs. Current PA-DSS validation programs will be deprecated, with new validations discontinued after 2020.
Until now, requirements for including security throughout the software development life cycle (requirement 6.3 for those following along at home) have focused on what to prevent, but not necessarily how. Due to be published in Q4 of 2018, the PCI Software Security Framework looks to be a valuable tool for organizations needing to mature the people and processes involved in application security, in addition to the applications themselves.
LBMC Information Security’s team is one of the longest tenured and largest PCI assessors in the United States. If your organization is considering a PCI assessment, contact us to learn how we can help.