It’s as if they took the words right out of my mouth. The new guidelines in the Payment Card Industry Data Security Standards (PCI DSS) encourage organizations to focus on security rather than compliance. Hallelujah!
For years I’ve been saying it: “Compliance does not equal security, but when you focus on security, compliance becomes an easy byproduct.”
The new requirements, based on feedback PCI DSS received from the PCI Security Standards Council and payment brand subject matter experts, focuses on mitigating some of the most frequently seen risks that have precipitated cardholder-data compromise.
The updated versions of PCI DSS and Payment Application Data Security (PA-DSS) will add more flexibility for taking care of risks and more guidance for integrating card security into everyday activities.
Meaning this: PCI DSS doesn’t want you to just check off boxes in order to show you’re in compliance. Rather, PCI DSS wants you to consistently protect your organization and its customers from risks.
The PCI DSS 3.0 changes are to be released in November and were created to do the following:
- Provide stronger focus on some of the greater risk areas in the threat environment.
- Provide increased clarity on PCI DSS and PA-DSS requirements.
- Build greater understanding on the intent of the requirements and how to apply them.
- Improve flexibility for all entities implementing, assessing, and building to the standards.
- Drive more consistency among assessors.
- Help manage evolving risks and threats.
- Align with changes in industry best practices.
- Clarify scoping and reporting.
- Eliminate redundant sub-requirements and consolidate documentation.
Although the proposed updates are still under review before the final version, proposed changes for organizations include the following:
- Keep a current diagram that shows how cardholder data flows to clarify cardholder data flows within the network.
- Maintain an inventory of system components in scope for PCI DSS to support effective scoping practices.
- Evaluate evolving malware threats for systems not commonly affected by malware to promote ongoing awareness and to protect systems from malware.
- Update lists of common vulnerabilities in alignment with OWASP, NIST, SANS and other security organizations to secure coding practices and keep current with emerging threats.
- Implement security considerations for authentication mechanisms such as physical security tokens, smart cards and certificates, to address requirements for securing authentication methods other than passwords.
- Protect POS terminals and devices from being tampering with to address physical security of payment terminals.
- Implement a methodology for penetration testing, and perform penetration tests to verify that the segmentation methods are operational and effective.
- Maintain information that states which PCI DSS requirements are managed by service providers and which are managed by the entity.
Service providers must acknowledge responsibility for maintaining applicable PCI DSS requirements.
Feedback for the suggested changes came from qualified security assessors, application and software vendors and associations, and merchant and financial institutions.
PCI Security Standards Council Chief Technology Officer Troy Leach said PCI DSS and PA-DSS 3.0 will provide organizations the framework for assessing the risk involved with their technologies and platforms. The changes will also provide the flexibility to apply these principles to their unique payment and business environments.
PCI DSS and PA-DSS 3.0 will be published on Nov. 7. The standards become effective Jan. 1, 2014, but to ensure adequate time for the transition, version 2.0 will remain active until Dec. 31, 2014.