PCI Security Standards Council Shares Expected Changes to PCI DSS and PA-DSS
The PCI Security Standards Council (PCI SSC), the standards body that oversees the Payment Card Industry Data Security Standard (PCI DSS), has released a preview of PCI DSS 3.0 which is scheduled to be published on Nov. 7, 2013.
The 3.0 standards become effective Jan. 1, 2014, but in order to give stakeholders time for the transition, version 2.0 will remain active until Dec. 31, 2014.
According to the Council, key drivers for version 3.0 updates include: lack of education and awareness; weak passwords and authentication challenges; third party security challenges; slow self-detection in response to malware and other threats; inconsistency in assessments.
Version 3.0 is expected to bring more robust requirements for penetration testing and validating segmentation, as well as expanded software development lifecycle security (SDLC) requirements for PA-DSS application vendors, including threat modeling responsibility.
According to Philip Lieberman, CEO of Lieberman Software, the new PCI 3.0 standard is long overdue.
“The new PCI standard appropriately moves the focus away from compliance and puts the focus squarely where it should have been in the first place: focus on security and processes to achieve continuous compliance," Lieberman told Securityweek. "The new standard recognizes the perimeter breaches are a regular occurrence and outsiders regularly have access to credit card information. Given that the perimeter is no longer secure, the only real mitigation is to have persistent controls within the interior that are both human and technological to minimize losses."
“The PCI DSS v 3.0 preview confirms that the downstream software supply chain is an emerging attack vector that impacts not only the payments industry, but enterprises as well,” Torsten George, Vice President Worldwide Marketing, Products, and Support for security risk management vendor Agiliance, told SecurityWeek. “Increasing requirements for penetration testing, application development lifecycle security, threat modeling all point to the fact that supply chain risks are an escalating concern.”
“Enterprises will need to go beyond vendor risk surveys and use verification services to test software applications prior to procurement and deployment,” George added.
“PCI DSS and PA-DSS 3.0 will provide organizations the framework for assessing the risk involved with technologies and platforms and the flexibility to apply these principles to their unique payment and business environments, such as e-commerce, mobile acceptance or cloud computing,” added Troy Leach, PCI SSC chief technology officer.
Version 3.0 will introduce more changes than version 2.0, with several new subrequirements, the Council said. The list of proposed updates to be incorporated into 3.0 include:
• Recommendations on making PCI DSS business-as-usual and best practices for maintaining ongoing PCI DSS compliance
• Security policy and operational procedures built into each requirement
• Guidance for all requirements with content from Navigating PCI DSS Guide
• Increased flexibility and education around password strength and complexity
• New requirements for point-of-sale terminal security
• More robust requirements for penetration testing and validating segmentation
• Considerations for cardholder data in memory
• Enhanced testing procedures to clarify the level of validation expected for each requirement
• Expanded software development lifecycle security requirements for PA-DSS application vendors, including threat modeling
The updates are still under review by the PCI community and final changes will be determined after the PCI community meetings and incorporated into the final versions of the PCI DSS and PA-DSS published in November.
The PCI Security Standards Council has more than 650 Participating Organizations representing merchants, banks, processors and vendors around the world.
The change highlights document with tables outlining anticipated updates is available online.