Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

PCI Security Standards Council Releases PCI 3.0 Draft Guidelines

PCI Security Standards Council Shares Expected Changes to PCI DSS and PA-DSS 

PCI Security Standards Council Shares Expected Changes to PCI DSS and PA-DSS 

The PCI Security Standards Council (PCI SSC), the standards body that oversees the Payment Card Industry Data Security Standard (PCI DSS), has released a preview of PCI DSS 3.0 which is scheduled to be published on Nov. 7, 2013.

The 3.0 standards become effective Jan. 1, 2014, but in order to give stakeholders time for the transition, version 2.0 will remain active until Dec. 31, 2014.

According to the Council, key drivers for version 3.0 updates include: lack of education and awareness; weak passwords and authentication challenges; third party security challenges; slow self-detection in response to malware and other threats; inconsistency in assessments.

PCI Security Standards

Version 3.0 is expected to bring more robust requirements for penetration testing and validating segmentation, as well as expanded software development lifecycle security (SDLC) requirements for PA-DSS application vendors, including threat modeling responsibility.

According to Philip Lieberman, CEO of Lieberman Software, the new PCI 3.0 standard is long overdue.

“The new PCI standard appropriately moves the focus away from compliance and puts the focus squarely where it should have been in the first place: focus on security and processes to achieve continuous compliance,” Lieberman told Securityweek. “The new standard recognizes the perimeter breaches are a regular occurrence and outsiders regularly have access to credit card information. Given that the perimeter is no longer secure, the only real mitigation is to have persistent controls within the interior that are both human and technological to minimize losses.”

“The PCI DSS v 3.0 preview confirms that the downstream software supply chain is an emerging attack vector that impacts not only the payments industry, but enterprises as well,” Torsten George, Vice President Worldwide Marketing, Products, and Support for security risk management vendor Agiliance, told SecurityWeek. “Increasing requirements for penetration testing, application development lifecycle security, threat modeling all point to the fact that supply chain risks are an escalating concern.”

Advertisement. Scroll to continue reading.

“Enterprises will need to go beyond vendor risk surveys and use verification services to test software applications prior to procurement and deployment,” George added.

“PCI DSS and PA-DSS 3.0 will provide organizations the framework for assessing the risk involved with technologies and platforms and the flexibility to apply these principles to their unique payment and business environments, such as e-commerce, mobile acceptance or cloud computing,” added Troy Leach, PCI SSC chief technology officer.

Version 3.0 will introduce more changes than version 2.0, with several new subrequirements, the Council said. The list of proposed updates to be incorporated into 3.0 include:

• Recommendations on making PCI DSS business-as-usual and best practices for maintaining ongoing PCI DSS compliance

• Security policy and operational procedures built into each requirement

• Guidance for all requirements with content from Navigating PCI DSS Guide

• Increased flexibility and education around password strength and complexity

• New requirements for point-of-sale terminal security

• More robust requirements for penetration testing and validating segmentation

• Considerations for cardholder data in memory

• Enhanced testing procedures to clarify the level of validation expected for each requirement

• Expanded software development lifecycle security requirements for PA-DSS application vendors, including threat modeling

The updates are still under review by the PCI community and final changes will be determined after the PCI community meetings and incorporated into the final versions of the PCI DSS and PA-DSS published in November.

The PCI Security Standards Council has more than 650 Participating Organizations representing merchants, banks, processors and vendors around the world.

The change highlights document with tables outlining anticipated updates is available online.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Compliance

Web scraping is a sensitive issue. Should a third party be allowed to visit a website and use automated tools to gather and store...

Cloud Security

Proofpoint removes a formidable competitor from the crowded email security market and adds technology to address risk from misdirected emails.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...