PoS, passwords and education lead new PCI changes
By Retail Technology | Thursday August 15 2013
PCI Council highlights expected updates to PCI DSS and PA DSS version 3.0 with a focus on flexibility, education and awareness
The organisation in charge of administering the Payment Card Industry (PCI) security standards today released highlights of expected changes, which include new requirements for point-of-sale (PoS) terminal security.
The PCI Security Standards Council (SSC) said these and other proposed updates to the new version 3.0 of PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA DSS) to be published in November would help merchants and their partners embed compliance into business-as-usual activities.
The updates will include recommendations on maintaining ongoing PCI DSS compliance and are designed to introduce more flexibility, and an increased focus on education, awareness and security as a shared responsibility, based on feedback from the Council’s global constituents.
Taking on new risks and threats
It said key drivers for version 3.0 updates include: lack of education and awareness; weak passwords and authentication challenges; third party security challenges; slow self-detection in response to malware and other threats; and inconsistency in assessments.
Version 3.0 will introduce more changes than version 2.0, with several new sub-requirements. And they are expected to address:
- New requirements for PoS terminal security
- Increased flexibility and education around password strength and complexity
- Considerations for cardholder data in memory
- Security policy and operational procedures built into each requirement
- Guidance for all requirements with content from Navigating PCI DSS Guide
- More robust requirements for penetration testing and validating segmentation
- Enhanced testing procedures to clarify the level of validation expected for each requirement
- Expanded software development lifecycle security requirements for PA DSS application vendors, including threat modelling
The seven-page change highlights document published today is part of the Council’s commitment to provide as much information as possible during the development process and eliminate any perceived surprises for organisations in their PCI security planning.
Preparing to meet new requirements
The summary is also designed to help PCI Participating Organisations and the assessment community to prepare for review and discussion of draft versions of the standards at the upcoming 2013 Community Meetings in September and October. Final version 3.0 changes will be determined after the PCI Community Meetings and incorporated into the final versions of the PCI DSS and PA-DSS published in November.
Based on feedback from the industry, in 2010 the Council moved from a two-year to a three-year standards development lifecycle. The additional year was added to provide a longer period to gather feedback and more time for organisations to implement changes before a new version is released.
PCI DSS and PA DSS 3.0 will be published on 7 November 2013. The standards become effective 1 January 2014, but version 2.0 will remain active until 31 December 2014 to ensure adequate transition time.
The Council will host a webinar series for the PCI community and the general public to outline the proposed changes. Click here to register.
The next issue of Retail Technology magazine will include more detail about the new standards in an interview with the PCI SCC’s European director Jeremy King. Contact us to subscribe.
