The Payment Card Industry's Security Standards Council (PCI SSC) has published version 3.0 of the PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS). Available now on the PCI SSC Web site, version 3.0 becomes effective on January 1. Version 2.0 will remain active until December 31.
The changes were created to help companies make PCI DSS part of their business-as-usual activities by introducing more flexibility and an increased focus on education, awareness, and security as a shared responsibility.
Key updates to the standard include the following:
- Recommendations on making PCI DSS business-as-usual and best practices for maintaining ongoing PCI DSS compliance;
- Incorporating the tips and guidance from the Navigating PCI DSS guidance section right into the standard itself;
- More flexibility and education around password strength and complexity;
- New requirements for point-of-sale terminal security;
- More robust requirements for penetration testing and validating segmentation;
- Enhanced testing procedures to clarify the level of validation expected for each requirement; and
- Expanded software development lifecycle security requirements, including threat modeling, for PA-DSS application vendors.
Under the new standards, companies that accept credit card payments will also need to evaluate evolving malware threats for any systems not considered to be commonly affected; link other authentication mechanisms to individual accounts and ensure only intended users can gain access; control physical access to sensitive areas for onsite personnel and have a process to authorize access and revoke access immediately upon termination; and protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.
"Lack of education and awareness; weak passwords, authentication; third-party security challenges; and slow self-detection in response to malware and other threats are some of the key challenge areas that precipitate many of the card security breaches happening today," says Bob Russo, general manager of the PCI Security Standards Council. "With these drivers in mind, the changes introduced with version 3.0 are designed to help organizations take a proactive approach to protect card data that focuses on security, not compliance."
According to Russo, the updates "will give organizations a strong but flexible security architecture with principles that can be applied to their unique technology, payment, and business environments."
PCI, he says, updates its standards every three years based on feedback from the industry.
"Increased flexibility in version 3.0 will enable organizations to take a more customized approach to addressing and mitigating common risks and problem areas," Russo states. "At the same time, more rigorous testing procedures for validating proper implementation of requirements will help companies drive and maintain controls across their businesses."
As data breaches and security risk increase, "securing card data is a shared responsibility," Russo adds. "Today's payment environment is even more complex, creating multiple points of access to cardholder data."