PCI council publishes updated payment security standards

Share this article:

After considering feedback from the global payment card industry, the PCI Security Standards Council (PCI SSC) has published its new guidelines for securing card data.

On Thursday, version 3.0 of the Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) became available for merchants, who'll have until January 1, 2014 before the requirements become effective.

The new standards focus on making payment security part of organizations and professionals “business-as-usual activities,” the PCI council said in a release on the guidelines.

Ten new requirements have been introduced to PCI DSS, including rules for assessing evolving malware threats affecting payment systems and for requiring service providers with remote access to card data to have unique authentication credentials. Standards for managing employees' physical access to financial information were also added.

In addition, merchants should be aware that a number of new requirements will remain best practices until July 1, 2015, to give organizations time to fully comply.

For instance, PCI DSS requirement 9.9, which clarifies how to protect devices like point-of-sale (POS) terminals from tampering and malware, is among the requirements that organizations have an extended period of time to implement.

New PA-DSS requirements, which revolve around the security of payment applications, include standards on payment application developers ensuring the integrity of source code, and on providing security and PA-DSS training at least one time a year for vendor personnel with payment application security responsibilities.

Bob Russo, general manager of the PCI council, told SCMagazine.com that version 3.0 of the standards supports an underlying theme of education and awareness for the payment card industry.

“This is the culmination of three years worth of feedback,” Russo said of the new standards.

To help professionals implement the requirements with more ease, the council has incorporated guidance into its 112-page document, like the “Navigating PCI-DSS Guide,” he added.

On Wednesday, Rodolphe Simonetti, managing director of Verizon's Payment Card Industry Services, told SCMagazine.com that the new guidelines were “easier to read and easier to manage.”

On the extended timeline for complying with certain requirements, Simonetti commented that the standards offer the “right mix of security, but also compliance and alliance with business [operations].”

Page 1 of 2
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Beazley: employee errors root of most data breaches, but malware incidents cost ...

Insurance firm Beazley analyzed more than 1,500 data breaches it serviced between 2013 and 2014.

Apple issues seven updates, fixes more than 40 vulnerabilities in iOS 8, OS 10.9.5

Apple issues seven updates, fixes more than 40 ...

In one of its infrequent "Update Surprisedays," Apple plugged holes, boosted security and added features.

Canadian telecom co. Telus unveils first transparency report

The company received more than 100,000 government requests for customer data last year.