This year, the Payment Card Industry Data Security Standard (PCI DSS) is ten years old. Happy birthday PCI DSS, ten years is a significant milestone. Yet the Verizon 2014 PCI Compliance Report reveals that around 90% of organizations are not fully PCI DSS compliant. In fact, only a little more than half of the companies in the study passed 7 of the 12 PCI DSS requirements. And with the release of PCI DSS version 3 in November 2013, and an implementation date of June 30, 2015, we can expect compliance to dip even further in the near term.
This lack of compliance is disconcerting because the PCI DSS is meant to serve as a minimum security standard. A company’s security program should meet and exceed the PCI DSS requirements, achieving compliance as a by-product of implementation. But if organizations aren’t meeting the PCI DSS requirements, not only are they not compliant, they’re not secure—providing opportunities for cybercriminals.
With ten years under its belt, and now three versions, the PCI DSS has had time to mature and evolve to help close gaps posed by new threats. However, the requirements are often purposefully general in their mandates to provide flexibility in implementation. Although this flexibility can be helpful, it means that the requirements sometimes lack specificity. This is another reason why organizations should implement a strong security program regardless of the PCI DSS mandates. However, organizations could also benefit from additional guidance in the PCI DSS.
To help address this need for clarity, the PCI Security Standards Council (PCI SSC) supports two Special Interest Groups (SIG) each year. The SIG topics cover either a technology challenge or implementation within a specific industry. The outcome of these SIGs is usually a guidelines document and recommended changes or clarifications to the standards.
As a PCI Participating Organization, Venafi is proposing a SIG to address Securing Cryptographic Keys and Digital Certificates. These cryptographic assets are essential to protecting all of our sensitive electronic data:
- Protect data at rest
- Secure data in transit
- Authorize and authenticate servers, devices, software, cloud, and privileged administrators and users
Cryptographic keys and digital certificates are the foundation for securing data, keeping communications safe and private, and establishing trust between communicating parties. They are critical to securing cardholder data—as well as the organization’s business—and are specifically mentioned throughout the PCI DSS. However, the PCI DSS lacks clarity and breadth on the security needed.
What’s more, new requirements were just introduced in PCI DSS v3 that increase the demands to secure keys and certificates, such as protecting these assets against malware, providing inventory capabilities, and offering certificate-based authentication. Protection against malware is of particular importance because changes in the threat landscape have increased the attacks that target cryptographic assets to enable trust-based attacks.
There has been a dramatic increase in the criticality of vulnerabilities and threats that impact keys and certificates, including Heartbleed, the Mask APT operation, and Operation Windigo—just to name a few. And in the McAfee Labs Threat Report for the fourth quarter of 2013, McAfee reveals that malware signed with legitimate certificates rose by 52% quarter over quarter and more than tripled from the previous year. The report emphasizes, “… the misuse of legitimate code-signing certificates erodes user trust.” These threats underscore the importance of strong security and remediation capabilities for keys and certificates.
The proposed SIG will provide guidance on how to approach the PCI DSS requirements that address cryptographic keys and digital certificates, offering a guidance document and checklist on security options and how they interrelate to best secure businesses and comply with PCI DSS requirements. This SIG is also needed to propose new security requirements for keys and certificates:
“New forms of attack are emerging that target data during processing and transmission — partly driven by increasing security measures put in place to protect data at rest. The PCI DSS does not currently require organizations to encrypt data being transmitted within the [cardholder data environment]. We believe that unless this is addressed, it could become a significant threat to [cardholder data].” Verizon report.
At Venafi, we know that it is already a significant threat and want to help businesses and cardholders stay secure—this is driving our SIG proposal for Securing Cryptographic Keys and Digital Certificates. Want to join our SIG efforts? The 2015 PCI DSS SIG proposal period is now open, with a deadline of July 7, 2015, so we will be submitting our SIG proposal shortly. If selected for the shortlist of proposals, our SIG topic will be voted on during the PCI Community Meetings in September and October 2014.
We would love your support. Contact me on LinkedIn if you’d like to participate in or endorse our SIG proposal efforts.