PCI council publishes updated payment security standards | SC Media
Policy, Compliance

PCI council publishes updated payment security standards

November 7, 2013

After considering feedback from the global payment card industry, the PCI Security Standards Council (PCI SSC) has published its new guidelines for securing card data.

On Thursday, version 3.0 of the Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) became available for merchants, who'll have until January 1, 2014 before the requirements become effective.

The new standards focus on making payment security part of organizations and professionals “business-as-usual activities,” the PCI council said in a release on the guidelines.

Ten new requirements have been introduced to PCI DSS, including rules for assessing evolving malware threats affecting payment systems and for requiring service providers with remote access to card data to have unique authentication credentials. Standards for managing employees' physical access to financial information were also added.

In addition, merchants should be aware that a number of new requirements will remain best practices until July 1, 2015, to give organizations time to fully comply.

For instance, PCI DSS requirement 9.9, which clarifies how to protect devices like point-of-sale (POS) terminals from tampering and malware, is among the requirements that organizations have an extended period of time to implement.

New PA-DSS requirements, which revolve around the security of payment applications, include standards on payment application developers ensuring the integrity of source code, and on providing security and PA-DSS training at least one time a year for vendor personnel with payment application security responsibilities.

Bob Russo, general manager of the PCI council, told SCMagazine.com that version 3.0 of the standards supports an underlying theme of education and awareness for the payment card industry.

“This is the culmination of three years worth of feedback,” Russo said of the new standards.

To help professionals implement the requirements with more ease, the council has incorporated guidance into its 112-page document, like the “Navigating PCI-DSS Guide,” he added.

On Wednesday, Rodolphe Simonetti, managing director of Verizon's Payment Card Industry Services, told SCMagazine.com that the new guidelines were “easier to read and easier to manage.”

On the extended timeline for complying with certain requirements, Simonetti commented that the standards offer the “right mix of security, but also compliance and alliance with business [operations].”

Still, looking towards the expanding threat landscape affecting card data acceptors and processors, some organizations continue to chime in on how the security standards require further expansion and clarification for merchants.

Michael Aminzade, Trustwave's director of compliance delivery for EMEA/APAC regions, commented in an emailed statement to SCMagazine.com on needed improvements to PCI DSS.

He suggested that more be incorporated in the standard on risk assessments.

“Even though the new standards reference risk management strategies that must be met, the standard doesn't enforce companies to adopt any of those strategies,” Aminzade wrote.

In addition, he hoped to see changes to the requirements for addressing mobile security risks.

“Merchants are struggling with how to protect mobile payment solutions and integrating mobile devices into their organizations. The Council released a best practices guide for mobile security more than a year ago, but it would be more beneficial to release additional guidance pertaining to mobile data security,” Aminzade said.

The PCI council has taken efforts to help streamline PCI compliance, and effective card data security, on the whole, for merchants.

The council has now begun certifying point-to-point encryption (P2PE) hardware, for example, to help guide organizations in selecting technology that can safeguard sensitive financial information.

Last Wednesday, PCI SSC announced the first vendor to get its seal of approval – European Payment Services (EPS), a U.K.-based company that develops the now-certified “EPS Total Care P2PE” solution.

prestitial ad