It’s official – PCI 3.0, the latest version of the PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) have now been published. Fortunately for businesses however, they have more than a year before they have to fully make the transition.
“The core principles at work when we first published PCI DSS are still relevant today,” said Bob Russo, general manager of the PCI Security Standards Council, in a statement. “Version 3.0 builds on these to address the feedback we’ve heard from our community and to help organizations make payment security good business practice – every day, all year round.”
The changes to the standards cover a significant amount of ground, from malware detection to physical security controls to protect access to sensitive systems. For example, as part of PCI DSS, businesses will be required to implement methodology for penetration testing and service providers with remote access to customer premises must use unique authentication credentials for each customer.
The standards officially become effective Jan. 1, 2014, though merchants will have until Jan. 1, 2015, to become complaint with the new regulations. In a few cases, businesses will have additional time to implement any changes. For example, PCI DSS requirement 9.9 mandates that devices that capture payment card data through direct physical interaction with the card be protected from tampering. That provision will be considered a “best practice” until July 15, 2015, when organizations will be expected to fully comply.
For some businesses, the new regulations could translate into increased time and costs to remain compliant, noted Kurt Hagerman, director of information security at FireHost. Resistance to increased audit costs could put pressure on quality security assessors (QSAs) to perform proper assessments, and there could also be additional strain on IT budgets that will put pressure on security officers to justify costs. Still, if the changes are embraced and the QSAs do their jobs well, there should be a significant improvement in credit card security, he said.
“I think the changes to DSS v3.0 are positive and I believe it will help improve the quality of assessments and further reduce overall risk,” Hagerman said. “That said, I believe there is still a bit of a weakness is regarding virtualization. It’s been addressed at a high level for the virtual server components but there are more details that could be spelled out regarding assessing the security of the underlying virtualization infrastructure, such as hypervisor hardening, security of the virtualization management layer, and virtual switching.”
Steve Hall, director of PCI solutions for Tripwire, noted that while PCI DSS 3.0 includes new reporting templates with guidance, the ‘report on compliance’ format is still under development and not scheduled to be ready until March. That means that QSAs will not have a way to determine if they are testing the right procedures in the meantime.
“Even though V2 compliant vendors will have a one year grace period, this gap is going to be a significant friction point between the standards body, merchants and service providers, and the QSAs,” he said.
“PCI DSS has been taking all the feedback they got on the proposed changes and trying to address them,” he added. “The fact that they’re putting the rubber stamp on the new standard is a big deal.”