The new PCI Software Security Framework may be just the start
- 26 April, 2019 07:00
Nothing bums out a room like starting to talk about compliance. Go ahead, try it at your next meet up and see how many people turn to their phones or the door.
Despite the groans, it is a necessary part of doing business today in every industry and a regulatory tool that helps to ensure the public’s privacy and security. As more of our data moves to digital applications and software plays a greater role in everything from industrial and medical systems to the primary conduits for economic activity, there is a greater push for regulations governing the safeguarding of this valuable information.
The rate of software deployments has increased dramatically in recent years, and in the eyes of the standards councils, is cause for updating their requirements for compliance. Compounding the pressure for increased intervention from authorities is the fact that data breaches have become a common occurrence in recent years, with hacks like Equifax, Marriot, and a laundry list of others entering the public consciousness.
New standards for payment application development
One recent example is the Payment Card Industry Security Standards Council’s (PCI SSC) new set of guidelines for the producers of payment applications, issued in January. The recently rolled out PCI Software Security Framework (PCI SSF) is meant to replace the existing PCI Payment Applications Data Security Standard (PCI PA-DSS) that governs the developers of payment applications.
Under the PCI SSF are additional requirements for payment application developers to perform more testing and precautions for their software’s security. These rules, which will come into full effect over the next three years, will necessitate that companies use more tools to mitigate vulnerabilities in their software as well as taking other measures to ensure confidentiality, integrity, and availability of the protected data.
The reasoning behind the push to improve security for applications that handle financial transactions data is fairly obvious, highlighting the concerns over attacks that could hurt the flow of commerce. However, given the fact that software is so pervasive throughout all industries, the question becomes which sector is likely to be next to see increased scrutiny.
Sectors that are ripe for regulations
At the top of our list of regulations that are likely to get a tightening of the screws is the Financial Industry Regulatory Authority’s (FINRA) and similar bodies that govern the financial services sector. Banks have proven to be favored targets of hackers over the last few years, giving rising concern for them to improve their digital security.
Health is another key area that is already seeing stronger requirements is the medical field, with new acts of Congress that relate specifically to medical device cyber security and internet of medical things. The Healthcare Information Portability and Accountability Act (HIPAA) is already a standard when it comes to healthcare data privacy, but the growth of internet-connected medical devices such as MRI machines and home tracking devices will likely see more regulations come as these devices reach a higher market penetration.
Similar to heightened regulations due to concerns that medical devices could be targeted by attackers, we are likely to see the Internet of Things begin to see additional regulations over the next five years. There is an understanding now that IoT is not just your home gadgets like an Alexa assistant or Nest thermometer, but critical industrial infrastructure like power grids and city management systems. All of these technologies are ripe for attacks by hackers who can use the devices for coordinated DDoS attacks like the Mirai botnet or even cause widespread damage or panic if they were to knock out power as was seen in attacks on the Ukrainian grid.
We are already seeing signs of changes within the major regulatory frameworks in the United States. The National Institute of Standards and Technology (NIST), is due to refresh their NIST SP 800-53 guidelines, with the 5th Revision due out sometime this Spring. It is reported that it will drop language referring to its relevance to federal information systems, implying that it should be applied to all parties and systems.
Are new regulations just around the corner?
Even as new regulations are put in place over the next few years, it is unlikely that the various industries will feel serious pressure in the early stages. Making the appropriate changes to reach compliance takes time and can be a slow an painful process for all involved. As such, regulators have taken care to give companies plenty of lead time, as well as added leniency after the implementation date.
A brief look back at how the European Union’s GDPR was impacting everyone’s blood pressure over the past year and a half as they rushed to become compliant is informative of how we are likely to see enforcement moving forward.
Despite threats of harsh penalties for violators that included up to 4% of a corporation’s global revenue or €20 million, whichever was higher, we are yet to see any serious measures taken against any offenders. Even as European regulators were sharpening their knives to go after firms that failed to implement the required changes to their data management practices, the same EU offices were admitting that they themselves were not adequately prepared to be in compliance with GDPR.
What we have seen is increased transparency as companies look to avoid prosecutions for hiding breaches, scoring one positive result from GDPR.
For companies across all of these industries, change is in the air as governments and regulatory bodies seek to harden security in the coming years, playing catch up after years of rapid growth in the software space. The question is whether these regulations will be effective, practical, and how the industry players will keep pace in reaching compliance.
Michael Hollander is a product owner and the data protection officer at WhiteSource. Before joining WhiteSource, Michael was a Product Manager at GE Digital, and he previously held a number of software development positions spanning over 10 years.