The Payment Card Industry Security Standards Council (PCI SSC) has released The Payment Card Industry Data Security Standard (PCI DSS) Version 3.0, which will be effective as of January 1st, 2014. The new version of PCI DSS recommends compliance as an ongoing practice to ensure that organizations who deal with payment card data remain compliant, even between annual assessments.
Highlights of the new requirements include:
- Evaluation of evolving malware threats for any systems not considered to be commonly affected
- Combined minimum password complexity and strength requirements into one, and increased flexibility for alternatives
- Service providers with remote access to customer premises must use unique authentication credentials for each customer
- Protection of devices that capture payment card data via direct physical interaction with the card from tampering and substitution
The distinction between security and compliance is not always clearly understood and merchants inadvertently place more focus on the latter instead of the former. Compliance does not foster security, and PCI DSS Version 3.0 hopes to ingrain this mentality by focusing on foundational security practices and increasing education and awareness on security as a shared responsibility.
A recurring theme revolving around the new release is the idea of making payment security business-as-usual. Bob Russo, general manager, PCI SSC echoes this sentiment in a recent interview where he stated the following: “PCI Standards continue to provide a strong framework for payment card security. The core principles at work when we first published PCI DSS are still relevant today. Version 3.0 builds on these to address the feedback we’ve heard from our community and to help organizations make payment security good business practice – every day, all year round.”
Changes are made to the standards every three years based on a wealth of information and feedback from various stakeholders including merchants, banks, processors, hardware and software developers, Board of Advisors, point-of-sale vendors and the assessment (QSA & ASV) community. PCI DSS Version 2.0 will remain in effect until December, 2014, giving organizations ample time to make the transition.
Stay tuned for more on PCI DSS version 3.0 and how organizations can foster a smooth transition.
You can access the standards and detailed summary of changes from version 2.0 to version 3.0 at the PCI SSC website: