EU GDPR/PCI overlap at the PCI SSC meeting in Edinburgh

At last month’s PCI Security Standards Council meeting in Edinburgh – befitting the European setting – there was a lot of talk about the overlap between the payment card industry standards and the forthcoming EU GDPR.

In Europe, PCI DSS is being talked about because under GDPR, credit cardholder information will be considered as personal data. The feeling is that organisations can use PCI as a benchmark, and that GDPR isn’t so much superseding PCI as creating a new incentive to be compliant. My view is that the controls mandated by PCI are quite prescriptive which makes it easy for people who don’t know where to start to do the right thing. In all likelihood, that will make PCI a good benchmark for a lot of companies. The reality is that if you try and comply with either EU GDPR or PCI DSS, there’s an overlap of about 70-75 per cent in terms of the requirements.

The key message is, PCI is here to stay but how it’s dealt with will depend on the territory. In September, we attended the North American PCI SSC meeting which was held in Las Vegas (and blogged about some of the talking points from that event). We’re seeing that in the US, PCI is getting traction because of the move to EMV. In Asia, by contrast, more and more countries are codifying PCI into law, so it’s mandatory.

From a technology perspective, there was a lot of talk over the course of the three-day Edinburgh event about tokenisation and point-to-point encryption, but the macro trend is all about devaluing the data and making PCI “go away” for small merchants. By that I mean that the bar for compliance is set low for them because technology is making the process much easier. This is a message that I know Stephen Orfei, the general manager of the PCI Security Standards Council, is pushing very strongly.

By using technical tools to render the data unusable, it’s “devalued” for potential attackers. Merchants can limit their attack surface and in doing so, they make themselves a harder target, forcing criminals to look elsewhere for easier pickings. That being said, the technology needed to achieve this is not free, so there is a trade-off and an investment to be made.

Other takeaways from the fireside chat with the PCI Council include the need for vigilance, communication and collaboration in tackling security issues. The biggest challenge for the next ten years will see criminals circumventing the security controls that exist, and how this will drive dynamic authentication.

Verizon’s Chris Novak spoke at the event about some of the cybercrime trends and how this is financially motivated, as crime gangs are increasingly becoming organised. They target small or medium enterprises up to large companies, with the aim of breaching a network to steal and sell data in the hope of landing a payday. Less than 25 per cent of attacks can be attributed to espionage.

Although the percentage of organisations discovering an incident within days of its occurrence has risen (25 per cent compared to 10 per cent in 2005), the attack curve has grown at a much faster rate.
Attackers are also taking less time to breach victims’ networks, with the time measured in days rather than weeks, and larger numbers of successful attempts from those threat actors. Verizon’s data found a minimum of eight months before a breach is discovered, and most of these are mainly by third parties or law enforcement. Fewer than 10 per cent are discovered by internal IT or security teams.

Security events are coming thick and fast this season. We’ll be at the ISACA Ireland Chapter Conference in Dublin this Friday 11 November, where we’ll be making a joint presentation as part of the event theme, ‘creating a culture of security’. VigiTrust is also sponsoring the 2016 Asia-Pacific Community meeting of the PCI Council. Check back on the blog to follow some of our thoughts from these conferences and more.

Leave a Reply

Your email address will not be published. Required fields are marked *