After considering feedback from the global payment card industry, the PCI Security Standards Council (PCI SSC) has published its new guidelines for securing card data.
On Thursday, version 3.0 of the Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) became available for merchants, who'll have until January 1, 2014 before the requirements become effective.
The new standards focus on making payment security part of organizations and professionals “business-as-usual activities,” the PCI council said in a release on the guidelines.
Ten new requirements have been introduced to PCI DSS, including rules for assessing evolving malware threats affecting payment systems and for requiring service providers with remote access to card data to have unique authentication credentials. Standards for managing employees' physical access to financial information were also added.
In addition, merchants should be aware that a number of new requirements will remain best practices until July 1, 2015, to give organizations time to fully comply.
For instance, PCI DSS requirement 9.9, which clarifies how to protect devices like point-of-sale (POS) terminals from tampering and malware, is among the requirements that organizations have an extended period of time to implement.
New PA-DSS requirements, which revolve around the security of payment applications, include standards on payment application developers ensuring the integrity of source code, and on providing security and PA-DSS training at least one time a year for vendor personnel with payment application security responsibilities.
Bob Russo, general manager of the PCI council, told SCMagazine.com that version 3.0 of the standards supports an underlying theme of education and awareness for the payment card industry.
“This is the culmination of three years worth of feedback,” Russo said of the new standards.
To help professionals implement the requirements with more ease, the council has incorporated guidance into its 112-page document, like the “Navigating PCI-DSS Guide,” he added.
On Wednesday, Rodolphe Simonetti, managing director of Verizon's Payment Card Industry Services, told SCMagazine.com that the new guidelines were “easier to read and easier to manage.”
On the extended timeline for complying with certain requirements, Simonetti commented that the standards offer the “right mix of security, but also compliance and alliance with business [operations].”