Fighting PCI non-compliance could require new frameworks, zero trust

Falling PCI DSS compliance rates could force the PCI Security Standards Council to be more open to other regulatory frameworks and make enterprises aim higher in terms of data security. Could zero trust be part of the solution?

As enterprise compliance with the Payment Card Industry Data Security Standard has fallen dramatically, enterprises are struggling to find the best way forward. One possibility could be to look beyond the PCI DSS framework and consider zero trust to secure all sensitive information instead of just payment data.

Verizon's annual reports from the past two years showed PCI non-compliance rates rose significantly, with only 36.7% of organizations being fully compliant in 2018, down from 52.4% in 2017 and 55.4% in 2016. The most striking change was in the Americas, where compliance fell by nearly by half -- from 39.7% in 2017 to 20.4% in 2018.

Multiple contributing factors are at play with the continued rise in PCI non-compliance, including risk tolerance, enterprise resource management and simply ignoring the requirements. Renee Murphy, principal analyst at Forrester, suggested the PCI Security Standards Council (PCI SSC) could look to tie PCI DSS compliance to other frameworks, or enterprises could aim for a more holistic approach with the zero-trust model.

Risk tolerance vs. cost of compliance

The ramifications of PCI non-compliance can be steep, with payment brands fining organizations between $5,000 and $100,000 per month and banks or payment providers potentially terminating the relationship with the organization. In general, these penalties are only enforced after a data breach in which payment card data has been affected because the organization was found to be non-compliant.

As a result, this leads executives to compare the odds of being breached with the cost of upgrades to meet PCI DSS guidelines, Murphy said.

"You might get slapped and pay a fine, but that's still cheaper than overhauling your entire department to make sure you didn't have that problem in the first place," Murphy said. "Executives look at that and say, 'This year, I'm going to roll the dice. It hasn't happened in the last 10 years. Why would it happen now?'"

Moving beyond the PCI DSS framework

One way to improve compliance rates would be to frame compliance as a competitive advantage, Laurence Pitt, global security strategy director at Juniper Networks, suggested.

"What the PCI Council needs to do is develop better awareness programs to help organizations in achieving compliance. No one wants to fall behind, and so this will cause people to sit up and listen," Pitt said. "Remember that compliance is not just something the business has to do to tick a box; it's also something that can be used to increase customer confidence."

Any efforts by the PCI SSC to combat rising PCI non-compliance rates could face challenges because it isn't "a hard standard," Forrester's Murphy said. "It's hardly a best practice. It's a pretty good practice. It's hard to tell people you shouldn't do as much. We don't live in the world of one framework at a time."

If you do ISO 2700 1 and 2, you already took care of PCI. That should be good enough for PCI.
Renee MurphyPrincipal analyst, Forrester

Murphy said she often works to "collapse frameworks." The PCI SSC already offers documentation mapping the PCI DSS framework to the NIST cybersecurity framework, but Murphy suggested the PCI SSC go beyond that and accept compliance certification from certain other frameworks as evidence of PCI DSS compliance.

"If you do ISO 27001 and 27002, you already took care of PCI. That should be good enough for PCI, but it turns out you still have to bring in the [Qualified Security Assessor] and be audited a second time," Murphy said. "I think we're getting to the point now where the other frameworks are just as good, if not better."

Jonathan Care, senior director and analyst at Gartner, told SearchSecurity it was an "interesting idea" for the PCI SSC to accept compliance to an equivalent framework as PCI DSS compliance.

"I do recall one charming employee of a big system integrator who [was] embedded into a U.K. government department rather officiously telling me that, 'Our systems have to comply with <U.K. government security standards>, which are so much more detailed than PCI DSS," Care wrote via email.

It is unclear if the PCI SSC would make a change like that, but Murphy suggested enterprises go beyond what is required by PCI DSS to a zero-trust model applied to all data. Murphy called zero trust the "phoenix rising from the ashes of PCI" because it takes the same principles of network segmentation and isolation, access management and encryption and extends it to all the sensitive information in an organization, including financial data, intellectual property and customer data.

"We've been talking about this for 15 years, and where I see the big conversation happening is around zero trust," Murphy said. "It's time for PCI to grow up and be part of the way we think about managing these structures. [The PCI DSS framework] doesn't cover everything, but if it covered everything in the zero-trust model, that's the right way to work."

Stephen Cavey, co-CEO and director of corporate development at Ground Labs, a data security company based in Austin, Texas, added that organizations seeking PCI DSS compliance in the past focused only on payment card data and ignored storing other forms of personal data. Those organizations have suffered in recent times as additional regulatory requirements surfaced that require organizations to expand their awareness and security processes to all other forms of personal data.

"We are seeing a trend with many enterprise organizations that have taken a pioneering approach to data security and are moving toward a zero-trust model," Cavey said. "They are looking at the full lifecycle of data management, including personal sensitive data, with no assumptions on where it is expected to be found or how it is being used. The end result is to mitigate risk."

Managing risk

A cost-benefit analysis can be difficult because of the constantly changing IT landscape, said Jonathan Deveaux, head of enterprise data protection at Comforte AG, an enterprise data security and digital payments solutions firm based in Wiesbaden, Germany.

"An environment deemed PCI-compliant last year may have new parts of its environment that aren't compliant in the current year," Deveaux said. "This is more about failing to secure early stakeholder buy-in to ensure PCI compliance when a new project is implemented or when new customer-facing features are put in place."

Forrester's Murphy added that some organizations will attempt to mitigate the risks of failing PCI DSS compliance by minimizing or encrypting pieces of the payment card data -- like the CVV [card verification value] number -- or by outsourcing payment processing.

As far back as 2008, however, the PCI SSC warned that using a third-party payment processor may not necessarily mean an organization is automatically compliant.

This warning could also apply to the shift to EMV cards. Experts agree the shift from traditional swipe cards to EMV was done to reduce fraud and as a bank tactic to shift fraud liability to businesses. A secondary benefit was that EMV cards used a single-use transaction code rather than the account number on a payment card. This limited the payment card data a business could gather, while minimizing the risks of PCI non-compliance. Unfortunately, this benefit only applied if all payments processed used the EMV chip. Any time a payment processor had to fall back to swipe, PCI data would be gathered.

Although the switch to EMV led the EU to try to reduce fraud down to almost nothing, U.S. businesses still expect about 4% in fraud, Murphy noted.

"Is that 4% in bad fraud? If it is, they're going to expect it, and that's going to be the end of that. Why implement the technology? Why take on more risk? Why have more data? Why redo all the cards if at the end of the day it's not that much risk?" she said.

"EMV would be the tactical execution of the security strategy in order to reduce fraud, but the framework of PCI still says I need to put that data under change control; I need to segregate that data; I have to control who has access to update that data," Murphy added.

Waiting for PCI DSS version 4.0

The PCI SSC is expected to announce PCI DSS version 4.0 in late 2020. The main pillars of the requirements aren't expected to change, according to the PCI SSC, but the new requirements will consider stakeholder input from the request for comments periods in 2017, 2019 and 2020.

"PCI SSC is evaluating how to evolve the standard to accommodate changes in technology, risk mitigation techniques and the threat landscape," Laura Gray, vice president and global head of communications at the PCI SSC, wrote in March 2019. "PCI SSC is also looking at ways to introduce greater flexibility to support organizations using a broad range of controls and methods to meet security objectives."

The PCI SSC is aiming to adjust the standards to meet the needs of the payment industry, add flexibility for how organizations can meet compliance standards and promote security as a continuous process, according to Gray.

The PCI SSC hasn't mentioned the rise in PCI non-compliance rates or directly addressed any efforts to reverse the trend. The PCI SSC did not provide comments for this story despite multiple requests.

Next Steps

Use a data privacy framework to keep your information secure

How to secure data at rest, in use and in motion

How privacy compliance rules will affect IT security

Dig Deeper on Compliance

Enterprise Desktop
Cloud Computing