The Payment Card Industry (PCI) Security Standards Council (SSC) recently released version 3.0 of the PCI Data Security Standard (DSS) and Payment Application Data Security Standard (PA-DSS). The newest set of security compliance requirements for merchants that accept credit and debit card payments, PCI 3.0, went into effect on January 1, 2014. PCI 2.0 will be active through 2014 to allow organizations sufficient time to transition to the new standard.
PCI 3.0 represents a significant update of the standard. While version 2.0 contained only two different requirements compared to version 1.2.1, version 3.0 has 20 different requires compared to version 2.0. Most of the changes involve clarification of existing requirements as opposed to new ones, but there is also change in mindset.
The central message conveyed by the new standard is that payment security must be an everyday business process, a shared responsibility across the entire organization to protect cardholder data. In many cases, organizations have been putting compliance on the back burner until it needs to be assessed and validated. Moving forward, the PCI SSC expects payment security to become a business-as-usual discipline. As part of this shift in approach, organizations will be required to self-validate their own processes, services and technology to identify and correct compliance issues.
PCI 3.0 also includes best practices for ensuring PCI-DSS compliance on a regular basis. These best practices include:
- Ongoing monitoring of security software and protocols to make sure they’re operating properly.
- Implementing processes to quickly detect and address security control failures.
- Evaluating how planned modifications to the environment, such as changing system and network configurations or adding new systems, will affect the PCI-DSS scope, and then adjusting security controls accordingly.
- Determining how mergers, acquisitions and other organizational changes affect the PCI-DSS scope and whether or not existing technology will be supported by their vendors.
- Assigning and separating responsibilities for security and operations to ensure a system of checks and balances.
The updates in PCI 3.0 are intended to shine a new light on the importance of cardholder data security and safety throughout organizations. They require that merchants follow best practices that ensure consumer trust in the payment card system.
For example, vendors will now be required to use separate passwords for each customer environment. This rule comes the result of a security breach in which a hacker gained access into a single account and used the same password to infiltrate every other account for that particular vendor. While modern threats receive the most attention, this case shows the need to address the basic best practices, which can be accomplished in part by increasing awareness and education.
In the Part 2 of this post, we’ll discuss in greater detail some of the specific requirements of PCI 3.0 from a technology perspective.