PCI Council previews changes to data security standards
The council released a highlight of potential new requirements and guidance.
The PCI Security Standards Council is giving merchants a first look at changes that could be introduced later this year to its credit card data and payment application security guidelines.
On Thursday, the council released the seven-page “3.0 Change Highlights” document, a preview to the updated PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA DSS), which are set to be published Nov. 7.
The standards, which undergo revisions every three years, were developed to help ensure that customer card data is protected by merchants that store, transmit and process it.
Expected changes in version 3.0 include a new requirement that merchants draw up a current diagram showing how cardholder data flows through organizations' systems.
In addition, the new version will contain guidance around protecting point-of-sale (POS) terminals and devices from threats such as tampering, malware, and insiders. Another addition being considered for version 3.0 is educational explanation of why each of the 12 core security requirements has been included in the standard and how they help organizations mitigate specific threats.
Bob Russo, the PCI council's general manager, told SCMagazine.com on Wednesday that the possible amendments – which also includes giving merchants more flexibility in password authentication options – are meant to make the guidelines easier to implement on a day-to-day basis.
"In our mind, we need to make this more of a business-as-usual type of thing, instead of you study to pass the test once a year,” Russo said. “We have the same core 12 standards, but we have incorporated things to make this part of their everyday [operations]."
Meanwhile, the updated PA DSS, which was introduced by the council in 2008, is likely to include additional procedures for software developers who build programs that process credit card payments, including rules on managing the full lifecycle of the software and requirements for developer education.
There has been back-and-forth in the security community, and among merchants, on whether PCI DSS is a burden or benefit to those expected to comply. Organizations often cite implementation, audit costs, dealing with legacy systems and overcoming confusion over what is required as prime challenges.
Meanwhile, there are questions over whether the banks and the card brands are taking on enough of the risk.
In one landmark case, a merchant is in the midst of a court battle to recoup $13 million in fines levied against it after a 2010 breach. Per its merchant contracts, Nashville, Tenn.-based sportswear company Genesco compensated its acquiring banks, Wells Fargo and Fifth Third, for the fine amount. Genesco then filed a lawsuit against Visa, which levied the penalty, to recoup that amount.
Visa imposed the penalties on the banks, which passed them down to Genesco, for non-compliance of PCI DSS that allegedly led to the breach. In a complaint, filed in a United States District Court in Nashville, Genesco said that Visa “had no reasonable basis for concluding that Genesco was non-compliant with the PCI DSS requirement at the time of the intrusion or at any other relevant time.”
Visa, late last month, lost a motion to dismiss the suit.
The proposed changes to PCI DSS and PA DSS are expected to come in November, after drafts are discussed at the council's community meetings in September and October.
The new standards will become effective Jan. 1, 2014.
According to Visa statistics, as of Dec. 31, 2012, 95 percent of Level 1 merchants, which are those companies that process greater than six million transactions annually, have validated PCI DSS compliance. Level 2 merchants, which process between one and six million transactions, have achieved a 90 percent rate. Level 3 merchants, which process between 20,000 and one million transactions, are at 55 percent.