There's a lot of things that we've
had to address over the last six months
when this COVID-19 became a pandemic.
And it was a result
of all this good work as a community
that we were able to
quickly turn around and and provide
guidance back to
the rest of people searching for answers.
Welcome to Focus! A podcast dedicated to
the business of higher education.
I'm your host Heather Richmond and we
will be exploring the challenges
and opportunities facing today's higher
learning institutions.
Today I'm interviewing with Troy Leach
senior vice president
and engagement officer at PCI Security
Standards Council.
He provides insights about the new
strategic framework that has been put
into place for PCI.
Hi Troy. Thanks for being our guest today.
Thanks for having me, Heather.
Well for those who may not be familiar
with the PCI Security Standards Council,
can you provide a little background?
Sure, happy to. The PCI Council is a
global forum
that brings together payment industry
stakeholders to develop
different types of data security
standards, and then also
drive adoption of those standards in
industry,
along with raising awareness of other
resources we have for protecting
payments worldwide.
The council was founded in 2006 by
American Express,
Discover, JCB International, Mastercard,
and Visa. And we have the founding members,
all five of them, share equally in the
governance of the organization,
with of course the support of more than
800 companies worldwide that
help participate in making payments
safer.
That is great, and actually we did this
podcast
once before. We actually recorded
an episode for season one because that's
when the new strategic framework was
released,
but then that COVID thing happened and
some of these things that make sense
anymore.
It is shocking how different who it
is today
compared to what it was just the
last time we recorded.
Yeah, so many of the things that we
were discussing, they were
no longer relevant. We were talking
about types of travel,
and going to Barcelona, and doing
on-site assessments and some of the
challenges there, and and now we
seem to be operating in a brave new
world.
I know my poor suitcase is just sitting
there looking at me like, "I haven't used
you forever!"
And I know that as part of creating that
new strategic framework, your role
changed during that time, right?
It did, yes. So my new title
is senior vice president over market
intelligence
and stakeholder engagement. And what we
did is
we reorganized internally, near the time
of the public release of the framework.
And what this allowed is it provided a
more formal way for us to take action by
having a life cycle for that stakeholder
engagement. I mentioned the 800
participating organizations, hundreds
of other security companies and
professionals around the world,
and then also just the other
stakeholders in industry that
are either applying the PCI standards, or
are looking to them
as an example for what they might be
trying to do as well.
And so that life cycle then provides a
way for us to have a better mechanism to
listen to industry feedback, to encourage
involvement in the standards process,
in the development of future standards,
have us be able to effectively
communicate
some of those changes back out to
industry, and then just raise awareness
through
training and other interaction. 
Yeah, that's great. It's really formed into
quite the community, hasn't it?
It really has.
Yeah, well but since the
framework
is still fairly new to the rest of us,
can you provide an
overview of what that framework is? 
Yes.
So the framework
essentially captures our
long-standing mission.
And just does a good job of being
able to compartmentalize
all of the strategy that we try to -
and have been trying to - accomplish for
the last 14 years.
Which is to enhance the global payment
account data security and associated
payment data security,
drive education and awareness, and
also the effective implementation of
this by stakeholders. So there
are four pillars. The first is around
increasing industry participation, and
involvement, and development of our
standards and programs,
as well as just broad awareness and
knowledge
of what the intent behind those
standards are.
The second is to continue to evolve the
existing security requirements that have
been created,
and make sure that both the
programs that support those standards,
and the standard requirement
themselves have a legitimacy to them.
That they're still relevant that it
still addresses the emerging threats
of the payment ecosystem. And then also
to
secure - the third pillars - to secure
emerging payment
channels. So looking at how are the new
alternative ways that we're starting to
accept payments,
and are we using mechanisms that are
secure. Are we applying good security
design to these new
payment acceptance methods? But also are
there new security process - new security
methodologies -
that we should be adopting within our
standards and programs, as well.
And then finally, the last pillar is
that we increase
the standards alignment throughout the
world.
And that there's a consistency where
appropriate for us to
partner with other standards bodies, 
with other organizations, 
around the world to make payments again
safer.
That's great. It is nice to have that
framework so we can all kind of wrap our
head around
the different pillars. So let's dive into
those pillars.
Let's start with pillar one, which again
focuses on the communication and
education.
Yes and this is one of the most
important aspects
where we need involvement from
the community. You know, Benjamin Franklin
once was quoted as saying,
"Tell me and I will forget, you teach me
and I will remember, involve me
and I will learn." And we need that
involvement. 
All the work that we're doing from the
request for comment periods,
to engaging at our community meetings
that are happening now
throughout the fall. And then from there,
we
look at how can we create awareness for the
the learnings and the teachings
all over the world. Earlier this year we
had our Latin America forum event
and they were doing case studies. They
did five case studies
that were specific and unique to the
Brazilian market.
But what we noticed is the things that
were happening there
were also happening in Mexico, in
Colombia,
in Europe, Asia, and North America. And so
so it's taking these lessons learned and
being able to work as a global community
to have
some output and be able to adjust.
Because what
impacts us to say in North America
sometimes leads to new types of
vulnerabilities and new exposures
elsewhere and vice versa. So we
need to have a community of payment
security.
And that's really where you saw recently
we've posted a lot
on our website related to COVID-19 and
all of that came
from all of our community coming
together and saying, "These are issues
that we're facing." We had
grocer associations and retailers saying,
"How do we go about continuing to protect
the payment terminals, but
it's a high frequency high traffic area
and we want to make sure that our
customers and our
employees are still safe?" "How do we do
remote assessment?
If, you know, we no longer can travel
abroad
and do these type of evaluations?" "And
how do we work with our suppliers
that might be
in Southeast Asia and we're in North
America?" "How do we deal with the
disruptions to
getting payment technology to us?" There's
a lot of things that that we've
had to address over the last six months
when this
COVID-19 became a pandemic, and it was a
result of
all this good work as a community that
we were able to quickly turn around
and provide guidance back to the
rest of the people searching for answers.
Yeah, you've done a really great job. I
know that I think about that, and see
some of these unique ways when I go to
a restaurant or a retailer and see how
they're handling those point
of sale payments a little bit
differently. And so I know that that guidence
certainly helped. Well speaking of COVID,
with a lot of remote working and some
businesses that really had to shut down
for a while,
risk obviously have gone way up. And
there's really that need to manage risk,
which is pillar two.
So that's really crucial right now. So
let's first talk about those risks that
you see.
Yeah and, you know, we talked
earlier there's a lot of alternative
ways of
accepting payments. And we saw especially
in the small merchant community and
many universities and campuses really
are
small communities. They're almost
their own towns. And they have
all these smaller merchants that are
accepting payments. And a lot of them
had to move quickly to maybe an online
presence that they
didn't have before. Maybe they had a
store that was just
card present transactions they had to
migrate to
e-commerce, or if they were a restaurant,
possibly, they were doing takeout and all
of a sudden were using curbside
payment acceptance equipment, versus what
they were traditionally used to.
So we put together what we identified as
the top
eight really critical
controls that people in a small business
should be thinking about.
We published that on our website and this
is a simple tasks that
should immediately improve security. one
of the things that
COVID-19 really brought to the forefront
is, it's not just the organization
themselves and how they address
and manage the COVID-19, but all of their
third-party suppliers.
We have so many small businesses that
rely on
the the the technology support
of third parties, and sometimes if
technology breaks down,
they were expecting you know their
terminal vendor, or whoever was
supporting maybe
their software, might be on site with
them to
resolve the issue. And we saw that even
those technology vendors were limiting
their
exposure and travel. So we had to find
ways that
remote access into the environment not
only was secured
during that connection but, also remained
secure.
Because we we know that historically
we've had
so many - the majority of data breaches - are
through
exposures and remote access. So
trying to make sure that
all of these new connections also
remain
secure. Yeah, you're absolutely right. All
the stories you do see and it's always
one of those things you're like, "Oh I
didn't realize that that was connected
there, or I left that piece open, or having
that level of vulnerability."
Absolutely. And so this, also in this
pillar number two, this is also where PCI
DSS 4.0 fits in.
It does. And so DSS 4.0
truly is a new generation, a new revision
of the standard.
And probably the single biggest change
is with our new customized approach
option. So the PCI draft - and I have to
emphasize it's
currently in draft - it does include a new
approach to meeting
and validating different security
technologies
and methodologies to meet the objectives
of PCI
DSS requirements.
You can think of this as a new and
better way of
developing, and then documenting
compensated control.
Something that I think over the years
really people shied away from because
there wasn't as much
clarity to the intent. And the the new
approach we're hoping
provides a roadmap for what it looks
like if you have a mature
risk organization that has the right
mechanisms and mature process in place.
How you could go about doing and
demonstrating
good efficacy and security. So
we received a lot of guidance on this
new approach.
In fact, our RFC process netted over
3,200 pieces of comments. And
we just introduced this here a new RFC
process
that actually requires us to document
and show back to any submitter
what we did with those comments. And so
you imagine that was
quite a daunting task over the last
six to eight months.
And now we're in the process - we're
in the middle of -
a request for comment period to look to
see, did we get those comments right? This
will be the third -
and hopefully final - request for comment
period. So if any of the listeners
are a participating organization, many
universities are,
I highly encourage them to consider
looking at the draft,
downloading it, and knowing that it
could change.
It has evolved quite a bit, actually, in
the last six months. And things
that we've proposed in
the first RFC were not there in the
second,
and probably will change and evolve
again in the
third RFC. But we highly encourage
people if they do want to be involved,
this is the time now
to act and have that chance to
see what we're thinking about. That's
great. I know that we were 
one of those 3,200 submitting some
comments. So, appreciate all the work you
guys have put into
really taking good consideration for
all of those
comments, and then also giving that
feedback loop back to the community.
It's been really interesting, Heather you
know, we've covered off
so many different topics, and I'm not
calling out any requirements because I
don't know what your requirements that
you commented are,
but I do know there are some
general themes that
did come to light. One of that was
around
just the protection of cardholder
data and transmission, so requirement
four of the PCI DSS.
And looking at have have we evolved
to a place that,
you know, there's so many entities
involved and
inside of our networks. Do we need to be
looking at a broader encryption
requirement?
That was something that was discussed at
length in the last RFC.
Can we use self-signed signatures
if we
have confidence in the
signer and the root of the
certificate? So these are are some of the
things that
we've been looking at. Passwords with
with this
guidance and a lot of activity around
authentication -
that was a big area. We knew that going
into this development
that people wanted to look at all of the
the improvements and the evolution of
authentication,
as well as just some clarity around,
you know,
physical security, looking at
requirement 11,
and some of the security systems and
the processes associated with that, and
looking at,
you know, we needed to start having
better authentication of the
vulnerability scans.
And then just the risk assessments. A lot
of new
conversation about what does a good
mature risk assessment
look like in that process that is
expected to happen every year?
And what could the PCI council be doing
to
provide clarity there as well? Yeah, it's
really interesting and I think back and
you said, you know, 14 years ago
the creation and I've been
with TouchNet for 13 years, and so been
talking PCI
almost as long as you guys have been
around. And just seeing that evolution
and the changes that really have to take
place from a security standpoint,
and again with new technology coming on
board, and new bad guys doing new bad
things, and
some of the changes, it's always evolving.
Oh yes, it really is.
And that's, you know, one
thing that I'd caution anyone
listening to this podcast -
is that you know the development
of the PCI DSS standard and the
expectation to meet new requirements is
always changing, or I should say that
it's actually
typically several years by the time
a standard comes out, because there's an
expectation that
you have to evolve to meet that new
security requirement.
So if I may just walk through
the timeline for PCI DSS. We
have, as I mentioned, began our third
RFC for this which happened -
will happen - over this fall. And then
we'll hope to complete
the standard and go - hopefully not at
3,200 comments again -
but if it is we'll we'll go through
that. But we're tentatively hoping to
complete the standard by mid-year
2021. And then all of the supporting
documents like the self-assessment
questionnaires,
updating the training, all the associated
program work,
all that will hopefully be completed by
the end of 2021.
And from there there's there's
timelines
and horizon for, you know, the expectation
of
implementing those new changes to the
standard.
And what will happen is we always run at
least
12 to 18 months, because this one's a
little bit
more significant it may be longer that's
not yet decided,
but we will have a transition period for
people being able to validate to version
3.2.1
of the PCI DSS and migrating to
DSS version 4.0 throughout 2022
and into at least mid-year of 2023.
And then we, for any new requirement
that's found within the standard,
there's always an additional sunrise
period.
So if there's new requirements that we
feel
are significantly different and they
will
require possibly adjustment by an
organization to complete,
then we will typically provide at
least two or three quarters
of additional time. So I wouldn't expect
any new requirements in PCI DSS 4
to have to be demonstrated and
validated to until
at least beginning of 2024.
Okay that's great. And I'll say that's
one thing that I know I've always
appreciated about the council
and the requirements. It seems like that
there's always plenty of time
from a vendor's perspective for us to
make changes if we need to, but also to
help educate
our schools. And I know that our
schools are very appreciative to be able
to have that time to truly
understand what it means to implement
before the compliance goes into
effect. So I really appreciate that
timeline.
Well, and Heather, you just mentioned
something that I think is really
important.
Nowadays no one operates
essentially their own
systems, it relies on third-party
subject matter experts and these service
providers and so there is
a longer period of time, you know, maybe
15 years ago when PCI Council was
getting started,
you'd go to your I.T. administrator
and say fix this, this is the new change.
But it there's a there's a longer
process just you mentioned, that
the vendors need to be aware of the
change, their clients need to be aware of
the change,
and everyone needs to be working in
partnership and concert. But that takes
additional time, additional communication.
So that's one of the reasons
that the the timelines that we create um
have
additional padding nowadays for
accommodating this new
way that we operate business. Yeah
again it's different than a decade or
plus ago, right? That's right.
And a lot of that really has to do with
the, you know, the emerging technologies
and standards. So
that leads us right into pillar three,
about emerging standards and
technologies. So with this
you know dramatic shift, really for
digital transformation,
what are the new standards focusing on?
Well one of the very recent
announcements
is around mobile payments. So we have
several standards in mobile payments,
and what we've seen is with COVID-19,
a global push for more
contactless transactions. And just
finding ways to leverage this 
way of not having to touch the same
equipment that,
you know, through a registry or
somewhere else that you would have,
you know, many people would be coming
through. And so that's an opportunity for
us
as PCI Council we have existing PCI
requirements
for contactless, and trying to help guide
the next generation of technology.
So we just announced that we are
are having PCI contactless for mobile
devices that are
common off-the-shelf, you know, Samsung,
Android devices, Apple, and all these
type of
general consumer devices that may be
accepting payments. We are now doing it
with pin acceptance, or I should say
we're working on a standard.
And it will be out for RFC where where
people can
contribute to that. Another area that
we're looking at besides
mobile and and contactless is just
around
in general, how do we protect,
you know, payment data that's
in these evolving channels such as cloud?
So we have all of this new work in a
cloud task force. I'm very excited.
We have contributions from Google and
Amazon,
AWS, and Microsoft, among others.
And they're sharing how this cutting
edge way that the cloud
infrastructure environment is changing,
so we can leverage this technology
to have more secure confidence in
the protection
of payments in that environment as well.
And then regularly, you know, with this
pillar we're constantly looking at what
is the next generation of security?
What's the next generation of payments?
How do we incorporate dynamic data
elements into every payment transaction,
and what is the PCI Council's role to
protect the integrity and the
security of the authentication
associated with these transactions?
So I always get excited talking about
the future because I see
so many new things that will help
universities
so that they don't have to throw
another
10+ layers of security to the same
payment data.
But we can flip the problem and have
that payment data no longer be
as relevant on its own, and find ways
of dynamic
authentication, dynamic data, and that
I think
will really help a lot of 
treasurers, and a lot of others around
the world as we continue
to mature in that area. Yeah I think
that's great, Troy. You know, what's
interesting is a couple things: one is,
you know, obviously "contactless" that is
the buzzword right now, as it should be,
and so we're really helping show our
colleges and universities how to have that
contactless campus, and mobile really is
a forefront of that.
But what I thought was really
interesting is we just did a student
study research
and asking about, "How are you making
payments?" And from a mobile perspective
and really said,
"If there was a university app for
taking payments, what is most important
to you?" And it was an open-ended question,
and security was one of the top reasons.
And i found that really interesting
because obviously
from our perspective, and from our our
school administrators,
security is always number one, but to
think that students are thinking that
way, too,
I just thought was so important. And
especially since you're really focusing
on
security payments. Well and that's
always
really nice to hear, because I think
in some ways
we've got so comfortable with
remote technology. And we have,
you know, this this acceptance that I
can give up my data
and it will be secure. And there's an
assumption of security,
and sometimes it may not be as well
designed as
as maybe as a consumer we would want it
to be. So
I do think that that's an
important
and interesting survey results that
you have. I'm glad you shared that with me,
I'm really glad to hear that. And so
finally, how do we get everybody on board?
The fourth pillar being
industry alignment, so that's probably
quite the challenge.
Yeah, and you know, you would think that
but at least for
our perspective, a lot of times it's
not, for the same reason you were just
talking about with the survey.
I think everyone wants good security.
The question - I guess except for cyber
criminals
would be the one exception to that.
But, you know, in general
people all want to do the same thing - the
right thing.
It's always about how do we go
about that?
And so in our work we want to make
sure that there are people that are
looking at
the same type of issues, but they
are
looking at it from a different lens than
payment security.
And I'll give a couple examples: one is
we're doing work
right now - you may have seen some
of the
announcements and and collaboration
we've done with NIST.
They developed a secure software
development framework.
We also developed a software security
framework,
and in their work they cite the PCI
standard over two dozen times or
about two dozen times.
And it shows where there's so much
alignment on good
software design. Now they're looking at
this from a broader perspective
than payments, they're looking at
government assets, they're looking at
protecting a
broader scope of data, but
it shows that you know good security
hygiene
is really neutral to the the industry.
And we're finding ways that we can
work with them to promote the
commonality. Because a lot of these
organizations
might have to demonstrate a good
security of software design
beyond just payments and PCI, but for
health care information if they transfer
bio data, or
in other fields of of interest to
them. So
that's important for us to make
sure that we align and promote
on that. Another example is with
ANTX 9.
We sit on many of their working groups
and boards,
we have a joint standard around PIN.
So the protections associated with
the PIN
number that is commonly used for
for debit
and other means. And so we find these
ways, we also see our data security
standard
I mentioned the 4.0. Previous versions
being mapped.
We have CIS, the Center for
Internet Security.
They're a board of advisor member of
ours. They've mapped their
their critical control objectives to PCI DSS.
We've done the same work with mapping
DSS to the NIST cybersecurity framework.
So these are important ways that we
demonstrate that
you may not have to do 15 different
assessments of the same
environment. It may be that the same type
of expectation in these different
standards
really is being met and the objective
being attained, and possibly, hopefully, maybe the
assessment that being done by only
one or two
times by an assessor. So that's
really important for us, not only for us
to
minimize the overhead for demonstrating
security, because we want people to be
doing security every day, but
being able to demonstrate it and
validate that we want that to be an
easier objective to attain. But also
allows us to work with these other
groups that might be seeing
risk in health care, risk in
power utilities, risk in other industries
that will eventually,
possibly be used and abused to
compromise
payment data. And so working together
across
industries helps us to prepare for what
future cyber threats there might be.
Yeah, that's great and really just shows
the reason why you have
these four pillars and have this focus
in all those areas to make sure
everything's really accounted for.
Absolutely, yeah. So what other areas
should our colleges and universities be
thinking about
when it comes to security and PCI
compliance?
Well I'll share a couple. First
is, you know, for the PCI Council
we are recognizing, and
actually prior to COVID-19, and we're
blaming everything on COVID-19 but I
think this one is
is fair, just because universities
were so impacted
by this, and having students that had to
be
now all of a sudden online. We were
trying to partner
with academia to have curriculum
in the schools. We
knew that there is a job shortage in
cyber security. This has been well
documented by Wall Street Journal.
I know that several other industry
organizations have come out with data
that says,
or really, the numbers are staggering in
the millions of jobs that
really need to be filled by cyber
security professionals. In fact
Isaka did and Isquare have done
surveys out to the industry.
One of those surveys was
demonstrating that during this
this influx time, this transition of
people going online, many of the cyber
security
professionals in their roles were
assigned to general I.T.
responsibilities, just to move and
be and be responsible for getting people
functional
and operating online. And their security
roles were
put on a shelf for a temporary
amount of time.
So we're looking at ways that we can
work with industry. We still have plans
for the future to have collaboration,
and I think for universities themselves
a couple of things that I would be
mindful of -
one is going back to e-commerce.
We see mage card as a
significant issue for anyone that has an
online business.
A mage card is a name given to organized
criminal groups that are able to insert
malware
into web pages, and it goes
undetected by by the merchants, by the
small businesses, it goes directly to
their customers'
mobile devices and laptops. And 
that's an area that we've been
looking at. Online digital skimming, also
looking at all of the IOT devices that
are on campuses,
especially if there is not staff on
campus
to monitor these devices, and
check on them. We see a lot of
online skimming and other types of
activities we see.
I've heard stories that at the
last Comtec event that I
attended where a college kiosk coffee
maker
uh was compromised and led to a
good amount of cardholder data stolen
out of an
IOT coffee maker. So we are looking at
all these things and
those would be a couple of areas that I
would be mindful of,
obviously promoting good and regular
encryption - point-to-point encryption - for
any type of transactions that are
happening
over a campus setting. There's so much
that is happening
in the university arena that
I could probably spend an hour just
talking about specifically other things
that I'd love to
make uh universities aware of, but
I know our time has run short and I
do appreciate the platform to share just
what's
been happening in PCI Council. Absolutely.
Well thank you so much, Troy, for your
insights on this ever-evolving world of
PCI.
Thank you, Heather. Well it really is
clear how the strategic framework helps
focus on all the areas necessary
to ensure the best security for today's
environment.
Thanks for tuning in to this episode of
Focus.
Don't forget to subscribe so you can
stay up-to-date on the business of
higher education.
For more information, check us out at
touchnet.com.