PCI Security Standards Council and the Consumer Technology Association Team up to Highlight the Importance of IoT Security
Washington D.C., 31 August 2022 – Today the PCI Security Standards Council (PCI SSC) and the Consumer Technology Association (CTA) issued a joint bulletin to highlight the importance of Internet of Things security. The full bulletin can be viewed here.
What is an Internet of Things (IoT) device?
When discussing IoT security, one of the first steps is to seek a common understanding and definition of an IoT device. The Consumer Technology Association (CTA) in conjunction with the Council to Secure the Digital Economy (CSDE), have produced the C2 Consensus on IoT Device Security Baseline Capabilities (C2 Consensus), which defines ‘IoT’ as:
With this broad definition, an IoT device could be a ‘smart’ toaster, desk phone, HVAC (heating, ventilation, and air conditioning) system, network camera, or one of many other types of devices.
What does IoT security have to do with payment security?
As IoT devices become more widespread, their use and deployment are increasingly crossing into areas of account-based payments. This may be incidental, with IoT devices deployed within a business environment where payments are also being processed, or more directly with an IoT device being used to accept, perform, or authorize payments on behalf of a user. When considering a deployment of IoT devices, the security of the devices and the payment data needs to be considered throughout the device lifecycle. Some questions organizations should ask include:
- Are the devices designed with security in mind?
- Are the devices deployed securely?
- Are the devices able to be maintained securely until decommissioned?
- Is there a decommission plan for the devices?
Helpful tips for IoT System Security Checklist/Questions
The following questions are recommended for those planning the purchase and deployment of IoT systems, to help the secure deployment, use, and decommissioning of these systems in an environment.
Does the device accept or facilitate payments, and how is this securely disabled or configured this for use? Is it included in the cardholder data flows for the network?
Does the deployment plan consider how to integrate the IoT device(s) into your environment in compliance with the PCI DSS?
Is the device designed with security in mind, and has it been tested against relevant standards such as ANSI/CTA-2088-A?
Does the vendor of the product guarantee updates for a set period of time, and have a history of on-going product security support? How does this align with the expected deployment period of the product in your environment?
What connectivity does the product require to provide the features required for its use and maintenance, including security updates? Is it possible to isolate the product onto its own network segment?
If network isolation is required and/or provided, how is this protected from change by operators of the device (e.g., by the user connecting to a different Wi-Fi network, or network segment)?
How can the product be securely decommissioned to ensure sensitive information is cleared before the device leaves your control?
On-the record quotes from Andrew Jamieson, Vice President, Solutions Standards, PCI Security Standards Council (PCI SSC):
“We have heard from our payment industry stakeholders about their concerns related to payment data protection on IoT devices. Hearing that feedback, we decided to act and have joined up with our friends at the Consumer Technology Association (CTA) to issue an industry bulletin on this topic. CTA has unique expertise in this area and together we have produced a document designed to address some IoT payment challenges and show how our standards can complement each other to address them.”
“The use of IoT products has accelerated in recent years and is projected to continue expanding in the future. Understanding how to securely deploy IoT systems is often a critical aspect of continuing to secure payment card data. With more and more internet connected products on the market every day, security is more important than ever.”
“The PCI SSC Data Security Standard (DSS) and the C2 Consensus Control are excellent starting points when thinking about the deployment of an IoT device and the environment in which an IoT system may be deployed.”
On-the-record quotes from Mike Bergman, Vice President, Technology & Standards, Consumer Technology Association (CTA):
“Following best practices for selecting, installing, and using IoT devices will make them far more difficult to compromise. This approach limits exposure to payment data and reduces the chance of data being stolen.”
“The bulletin we are jointly issuing today should be read by those who care about data security when it comes to IoT devices and their environments. By understanding the risks and best practices, organizations can be better prepared to protect against cyber-attacks.”
About the PCI Security Standards Council
The PCI Security Standards Council (PCI SSC) leads a global, cross-industry effort to increase payment security by providing industry-driven, flexible and effective data security standards and programs that help businesses detect, mitigate and prevent cyberattacks and breaches. Connect with PCI SSC on LinkedIn. Join the conversation on Twitter @PCISSC. Subscribe to the PCI Perspectives Blog.
1 The C2 Consensus also maps to important guidance from the National Institute of Standards and Technology (NIST) in their publication, NIST Interagency Report 8259A, IoT Device Cybersecurity Capability Core Baseline.
2 Council to Secure the Digital Economy (CSDE), The C2 Consensus on IoT Device Security Baseline Capabilities, https://csde.org/wp-content/uploads/2019/09/CSDE_IoT-C2-Consensus-Report_FINAL.pdf