Logo
BodyBGTop
PCI Council Revises Data Security Standards
Updated standards are designed to help organizations make payment security business-as-usual.
Posted Nov 8, 2013
Page 1



The Payment Card Industry's Security Standards Council (PCI SSC) has published version 3.0 of the PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS). Available now on the PCI SSC Web site, version 3.0 becomes effective on January 1. Version 2.0 will remain active until December 31.

The changes were created to help companies make PCI DSS part of their business-as-usual activities by introducing more flexibility and an increased focus on education, awareness, and security as a shared responsibility.

Key updates to the standard include the following:

  • Recommendations on making PCI DSS business-as-usual and best practices for maintaining ongoing PCI DSS compliance;
  • Incorporating the tips and guidance from the Navigating PCI DSS guidance section right into the standard itself;
  • More flexibility and education around password strength and complexity;
  • New requirements for point-of-sale terminal security;
  • More robust requirements for penetration testing and validating segmentation;
  • Enhanced testing procedures to clarify the level of validation expected for each requirement; and
  • Expanded software development lifecycle security requirements, including threat modeling, for PA-DSS application vendors.

Under the new standards, companies that accept credit card payments will also need to evaluate evolving malware threats for any systems not considered to be commonly affected; link other authentication mechanisms to individual accounts and ensure only intended users can gain access; control physical access to sensitive areas for onsite personnel and have a process to authorize access and revoke access immediately upon termination; and protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.

"Lack of education and awareness; weak passwords, authentication; third-party security challenges; and slow self-detection in response to malware and other threats are some of the key challenge areas that precipitate many of the card security breaches happening today," says Bob Russo, general manager of the PCI Security Standards Council. "With these drivers in mind, the changes introduced with version 3.0 are designed to help organizations take a proactive approach to protect card data that focuses on security, not compliance."

According to Russo, the updates "will give organizations a strong but flexible security architecture with principles that can be applied to their unique technology, payment, and business environments."

PCI, he says, updates its standards every three years based on feedback from the industry.

"Increased flexibility in version 3.0 will enable organizations to take a more customized approach to addressing and mitigating common risks and problem areas," Russo states. "At the same time, more rigorous testing procedures for validating proper implementation of requirements will help companies drive and maintain controls across their businesses."

As data breaches and security risk increase, "securing card data is a shared responsibility," Russo adds. "Today's payment environment is even more complex, creating multiple points of access to cardholder data."


Page 1
To contact the editors, please email editor@destinationCRM.com
Every month, CRM magazine covers the customer relationship management industry and beyond. To subscribe, please visit http://www.destinationCRM.com/subscribe/.
Related Articles
The new cloud-based SecureMail promises government-level security.
 
Search
Popular Articles
 

BodyBGRight
Home | Get CRM Magazine | CRM eWeekly | CRM Topic Centers | CRM Industry Solutions | CRM News | Viewpoints | Web Events | Events Calendar
DestinationCRM.com RSS Feeds RSS Feeds | About destinationCRM | Advertise | Getting Covered | Report Problems | Contact Us