PCI Compliance 3.0 Overview - Part 1

November 12, 2013
5
min read

“Cardholder data continues to be a target for criminals. Lack of education and awareness around payment security and poor implementation and maintenance of the PCI Standards leads to many of the security breaches happening today.”Data Security Standard and Payment Application Data Security Standard, Version 3.0 Change Highlights

The PCI Security Standards Council recently released the highlights for a new version of PCI Compliance.This document is an overview of anticipated changes to the current PCI Data Security Standard (PCI DSS) and Payment Application-Data Security Standard (PA-DSS).This document was released to:

  • Help stakeholders review and discuss the draft versions of the new standards
  • Prepare stakeholders to align security programs to the updated Data Security Standards
  • Leave a reasonable amount of time for merchants to review and understand PCI DSS and PA-DSS before implementation.

The document released is not the new PCI Compliance 3.0 or the actual changes that will be implemented, rather a bit of a “heads up” for everyone. It is anticipated that 3.0 will be effective on January 1st 2014, but Version 2.0 will remain active until the 31st of December 2014 and compliant vendors will have until 2015 to move to the new standard. One of the main drivers for the change was actual feedback from the industry. Many areas of challenge that contributed to this update includes:

  • lack of education/awareness on PCI
  • weak authentication practices and password protection
  • 3rd party security changes/updates
  • malware issues
  • inconsistent assessments by assessors

The core 12 security areas will remain the same, but Version 3.0 will include new requirements. These changes are designed to give companies strong security principles that can be applied more easily to their tech/payment/business. The updated versions will:

  • Be more focused on risk
  • Further clarify PCI DSS & PA-DSS requirements
  • Help build a better understanding of the intent of PCI DSS and how to apply it
  • Improve and provide more flexible ways to implement the standards
  • Help make PCI assessment more consistent
  • Direct evolving threats
  • Update with new and changing industry best practices
  • Refine reporting and scoping
  • Consolidate the PCI documentation

It is quite a relief to see an increased interest in helping merchants understand and adopt PCI compliance as it creates a major benefit to many organizations and merchants.Although the changes may seem minor, it is expected that many of these revisions could possibly have a significant impact on your organization. (See part 2 for more details on PCI 3.0.)

Want to learn more about PCI Compliance 3.0? Speak to our certified information systems auditor.