Designed to help organizations take a proactive approach to protect cardholder data that focuses on security, not compliance, and makes PCI DSS a business-as-usual practice.
Education and awareness
Lack of education and awareness around payment security, coupled with poor implementation and maintenance of the PCI Standards, gives rise to many of the security breaches happening today. Updates to the standards are geared towards helping organizations better understand the intent of requirements and how to properly implement and maintain controls across their business. Changes to PCI DSS and PA-DSS will help drive education and build awareness internally and with business partners and customers.
Changes in PCI DSS and PA-DSS 3.0 focus on some of the most frequently seen risks that lead to incidents of cardholder data compromise—such as weak passwords and authentication methods, malware, and poor self-detection—providing added flexibility on ways to meet the requirements. This will enable organizations to take a more customized approach to addressing and mitigating common risks and problem areas. At the same time, more rigorous testing procedures for validating proper implementation of requirements will help organizations drive and maintain controls across their business.
Security as a shared responsibility
Securing cardholder data is a shared responsibility. Today’s payment environment has become ever more complex, creating multiple points of access to cardholder data. Changes introduced with PCI DSS and PA-DSS focus on helping organizations understand their entities’ PCI DSS responsibilities when working with different business partners to ensure cardholder data security.
The PCI DSS and PA-DSS are constructed in a way that their principles can be applied to various environments where cardholder data is processed, stored, or transmitted—such as e-commerce, mobile acceptance, or cloud computing.
PCI Data Security Standard (PCI DSS) 3.0
Protect POS terminals and devices from tampering or substitution.
Clarified that sensitive authentication data must not be stored after authorization even if card number is not present.
Maintain an inventory of system components in scope for PCI DSS.
Revised password policies to include guidance for users on choosing strong passwords, protecting their credentials, and changing passwords upon suspicion of compromise.
Enhanced requirements to ensure that changing of default passwords is enforced by the application and appropriately validated.
Evaluate evolving malware threats for systems not commonly affected by malware.
Security considerations for authentication mechanisms such as physical security tokens, smart cards, and certificates.
Updated requirement to require use of a one- way cryptographic algorithm with an input variable to render passwords unreadable.
This document provides insight into anticipated changes to the PCI DSS and PA-DSS for advance informational purposes only, and does not replace the current standards, the to-be-published detailed Summary of Changes or new versions of the Standards. The planned publication date of Versions 3.0 of PCI DSS and PA-DSS is 7 November 2013, after they have been discussed at the Council’s European Community Meeting in Nice. The updated Standards will become effective on 1 January 2014, per the lifecycle. Entities are encouraged to begin implementation of the new version of the Standards as soon as possible; but to ensure adequate time for the transition, Version 2.0 will remain active until 31 December 2014.
Food for Thought… You make the call
* Is purchasing a credit card terminal online from a non-credible source secure from tampering and internal skimmers?
* Does your credit card processor take the time to educate you on possible security threats?
* Why not work with your local processor SmartPay Merchant Services who can take the time to properly train and help protect your business in this cyber age?