Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy & Compliance

New Changes to PCI Data Security Standard Published

It’s official – PCI 3.0, the latest version of the PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) have now been published. Fortunately for businesses however, they have more than a year before they have to fully make the transition.

It’s official – PCI 3.0, the latest version of the PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) have now been published. Fortunately for businesses however, they have more than a year before they have to fully make the transition.

 “The core principles at work when we first published PCI DSS are still relevant today,” said Bob Russo, general manager of the PCI Security Standards Council, in a statement. “Version 3.0 builds on these to address the feedback we’ve heard from our community and to help organizations make payment security good business practice – every day, all year round.”

The changes to the standards cover a significant amount of ground, from malware detection to physical security controls to protect access to sensitive systems. For example, as part of PCI DSS, businesses will be required to implement methodology for penetration testing and service providers with remote access to customer premises must use unique authentication credentials for each customer.

The standards officially become effective Jan. 1, 2014, though merchants will have until Jan. 1, 2015, to become complaint with the new regulations. In a few cases, businesses will have additional time to implement any changes. For example, PCI DSS requirement 9.9 mandates that devices that capture payment card data through direct physical interaction with the card be protected from tampering. That provision will be considered a “best practice” until July 15, 2015, when organizations will be expected to fully comply.

For some businesses, the new regulations could translate into increased time and costs to remain compliant, noted Kurt Hagerman, director of information security at FireHost. Resistance to increased audit costs could put pressure on quality security assessors (QSAs) to perform proper assessments, and there could also be additional strain on IT budgets that will put pressure on security officers to justify costs. Still, if the changes are embraced and the QSAs do their jobs well, there should be a significant improvement in credit card security, he said.

Advertisement. Scroll to continue reading.

“I think the changes to DSS v3.0 are positive and I believe it will help improve the quality of assessments and further reduce overall risk,” Hagerman said. “That said, I believe there is still a bit of a weakness is regarding virtualization. It’s been addressed at a high level for the virtual server components but there are more details that could be spelled out regarding assessing the security of the underlying virtualization infrastructure, such as hypervisor hardening, security of the virtualization management layer, and virtual switching.”

Steve Hall, director of PCI solutions for Tripwire, noted that while PCI DSS 3.0 includes new reporting templates with guidance, the ‘report on compliance’ format is still under development and not scheduled to be ready until March. That means that QSAs will not have a way to determine if they are testing the right procedures in the meantime.

“Even though V2 compliant vendors will have a one year grace period, this gap is going to be a significant friction point between the standards body, merchants and service providers, and the QSAs,” he said.

“PCI DSS has been taking all the feedback they got on the proposed changes  and trying to address them,” he added. “The fact that they’re putting the rubber stamp on the new standard is a big deal.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.