Security Experts:

Connect with us

Hi, what are you looking for?


Privacy & Compliance

New Changes to PCI Data Security Standard Published

It’s official – PCI 3.0, the latest version of the PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) have now been published. Fortunately for businesses however, they have more than a year before they have to fully make the transition.

It’s official – PCI 3.0, the latest version of the PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) have now been published. Fortunately for businesses however, they have more than a year before they have to fully make the transition.

 “The core principles at work when we first published PCI DSS are still relevant today,” said Bob Russo, general manager of the PCI Security Standards Council, in a statement. “Version 3.0 builds on these to address the feedback we’ve heard from our community and to help organizations make payment security good business practice – every day, all year round.”

The changes to the standards cover a significant amount of ground, from malware detection to physical security controls to protect access to sensitive systems. For example, as part of PCI DSS, businesses will be required to implement methodology for penetration testing and service providers with remote access to customer premises must use unique authentication credentials for each customer.

The standards officially become effective Jan. 1, 2014, though merchants will have until Jan. 1, 2015, to become complaint with the new regulations. In a few cases, businesses will have additional time to implement any changes. For example, PCI DSS requirement 9.9 mandates that devices that capture payment card data through direct physical interaction with the card be protected from tampering. That provision will be considered a “best practice” until July 15, 2015, when organizations will be expected to fully comply.

For some businesses, the new regulations could translate into increased time and costs to remain compliant, noted Kurt Hagerman, director of information security at FireHost. Resistance to increased audit costs could put pressure on quality security assessors (QSAs) to perform proper assessments, and there could also be additional strain on IT budgets that will put pressure on security officers to justify costs. Still, if the changes are embraced and the QSAs do their jobs well, there should be a significant improvement in credit card security, he said.

“I think the changes to DSS v3.0 are positive and I believe it will help improve the quality of assessments and further reduce overall risk,” Hagerman said. “That said, I believe there is still a bit of a weakness is regarding virtualization. It’s been addressed at a high level for the virtual server components but there are more details that could be spelled out regarding assessing the security of the underlying virtualization infrastructure, such as hypervisor hardening, security of the virtualization management layer, and virtual switching.”

Steve Hall, director of PCI solutions for Tripwire, noted that while PCI DSS 3.0 includes new reporting templates with guidance, the ‘report on compliance’ format is still under development and not scheduled to be ready until March. That means that QSAs will not have a way to determine if they are testing the right procedures in the meantime.

“Even though V2 compliant vendors will have a one year grace period, this gap is going to be a significant friction point between the standards body, merchants and service providers, and the QSAs,” he said.

“PCI DSS has been taking all the feedback they got on the proposed changes  and trying to address them,” he added. “The fact that they’re putting the rubber stamp on the new standard is a big deal.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Application Security

Less than a week after patching critical security defects affecting multiple enterprise-facing products, VMware is warning that one of the flaws is being exploited...


Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.