Connect with us

Hi, what are you looking for?



PCI Security Standards Council Releases PCI 3.0 Draft Guidelines

PCI Security Standards Council Shares Expected Changes to PCI DSS and PA-DSS 

PCI Security Standards Council Shares Expected Changes to PCI DSS and PA-DSS 

The PCI Security Standards Council (PCI SSC), the standards body that oversees the Payment Card Industry Data Security Standard (PCI DSS), has released a preview of PCI DSS 3.0 which is scheduled to be published on Nov. 7, 2013.

The 3.0 standards become effective Jan. 1, 2014, but in order to give stakeholders time for the transition, version 2.0 will remain active until Dec. 31, 2014.

According to the Council, key drivers for version 3.0 updates include: lack of education and awareness; weak passwords and authentication challenges; third party security challenges; slow self-detection in response to malware and other threats; inconsistency in assessments.

PCI Security Standards

Version 3.0 is expected to bring more robust requirements for penetration testing and validating segmentation, as well as expanded software development lifecycle security (SDLC) requirements for PA-DSS application vendors, including threat modeling responsibility.

According to Philip Lieberman, CEO of Lieberman Software, the new PCI 3.0 standard is long overdue.

“The new PCI standard appropriately moves the focus away from compliance and puts the focus squarely where it should have been in the first place: focus on security and processes to achieve continuous compliance,” Lieberman told Securityweek. “The new standard recognizes the perimeter breaches are a regular occurrence and outsiders regularly have access to credit card information. Given that the perimeter is no longer secure, the only real mitigation is to have persistent controls within the interior that are both human and technological to minimize losses.”

Advertisement. Scroll to continue reading.

“The PCI DSS v 3.0 preview confirms that the downstream software supply chain is an emerging attack vector that impacts not only the payments industry, but enterprises as well,” Torsten George, Vice President Worldwide Marketing, Products, and Support for security risk management vendor Agiliance, told SecurityWeek. “Increasing requirements for penetration testing, application development lifecycle security, threat modeling all point to the fact that supply chain risks are an escalating concern.”

“Enterprises will need to go beyond vendor risk surveys and use verification services to test software applications prior to procurement and deployment,” George added.

“PCI DSS and PA-DSS 3.0 will provide organizations the framework for assessing the risk involved with technologies and platforms and the flexibility to apply these principles to their unique payment and business environments, such as e-commerce, mobile acceptance or cloud computing,” added Troy Leach, PCI SSC chief technology officer.

Version 3.0 will introduce more changes than version 2.0, with several new subrequirements, the Council said. The list of proposed updates to be incorporated into 3.0 include:

• Recommendations on making PCI DSS business-as-usual and best practices for maintaining ongoing PCI DSS compliance

• Security policy and operational procedures built into each requirement

• Guidance for all requirements with content from Navigating PCI DSS Guide

• Increased flexibility and education around password strength and complexity

• New requirements for point-of-sale terminal security

• More robust requirements for penetration testing and validating segmentation

• Considerations for cardholder data in memory

• Enhanced testing procedures to clarify the level of validation expected for each requirement

• Expanded software development lifecycle security requirements for PA-DSS application vendors, including threat modeling

The updates are still under review by the PCI community and final changes will be determined after the PCI community meetings and incorporated into the final versions of the PCI DSS and PA-DSS published in November.

The PCI Security Standards Council has more than 650 Participating Organizations representing merchants, banks, processors and vendors around the world.

The change highlights document with tables outlining anticipated updates is available online.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...