Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy & Compliance

New Changes to PCI Data Security Standard Published

It’s official – PCI 3.0, the latest version of the PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) have now been published. Fortunately for businesses however, they have more than a year before they have to fully make the transition.

It’s official – PCI 3.0, the latest version of the PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) have now been published. Fortunately for businesses however, they have more than a year before they have to fully make the transition.

 “The core principles at work when we first published PCI DSS are still relevant today,” said Bob Russo, general manager of the PCI Security Standards Council, in a statement. “Version 3.0 builds on these to address the feedback we’ve heard from our community and to help organizations make payment security good business practice – every day, all year round.”

The changes to the standards cover a significant amount of ground, from malware detection to physical security controls to protect access to sensitive systems. For example, as part of PCI DSS, businesses will be required to implement methodology for penetration testing and service providers with remote access to customer premises must use unique authentication credentials for each customer.

The standards officially become effective Jan. 1, 2014, though merchants will have until Jan. 1, 2015, to become complaint with the new regulations. In a few cases, businesses will have additional time to implement any changes. For example, PCI DSS requirement 9.9 mandates that devices that capture payment card data through direct physical interaction with the card be protected from tampering. That provision will be considered a “best practice” until July 15, 2015, when organizations will be expected to fully comply.

For some businesses, the new regulations could translate into increased time and costs to remain compliant, noted Kurt Hagerman, director of information security at FireHost. Resistance to increased audit costs could put pressure on quality security assessors (QSAs) to perform proper assessments, and there could also be additional strain on IT budgets that will put pressure on security officers to justify costs. Still, if the changes are embraced and the QSAs do their jobs well, there should be a significant improvement in credit card security, he said.

“I think the changes to DSS v3.0 are positive and I believe it will help improve the quality of assessments and further reduce overall risk,” Hagerman said. “That said, I believe there is still a bit of a weakness is regarding virtualization. It’s been addressed at a high level for the virtual server components but there are more details that could be spelled out regarding assessing the security of the underlying virtualization infrastructure, such as hypervisor hardening, security of the virtualization management layer, and virtual switching.”

Steve Hall, director of PCI solutions for Tripwire, noted that while PCI DSS 3.0 includes new reporting templates with guidance, the ‘report on compliance’ format is still under development and not scheduled to be ready until March. That means that QSAs will not have a way to determine if they are testing the right procedures in the meantime.

“Even though V2 compliant vendors will have a one year grace period, this gap is going to be a significant friction point between the standards body, merchants and service providers, and the QSAs,” he said.

“PCI DSS has been taking all the feedback they got on the proposed changes  and trying to address them,” he added. “The fact that they’re putting the rubber stamp on the new standard is a big deal.”

Written By

Click to comment

Expert Insights

Related Content

Privacy

The EU's digital policy chief warned TikTok’s boss that the social media app must fall in line with tough new rules for online platforms...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Privacy

Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.

Privacy

Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Application Security

Microsoft’s security patching machine hummed into overdrive Tuesday with the release of fixes for at least 97 documented software vulnerabilities, including a zero-day that’s...