With PCI DSS v2 being retired on 31 December 2014, merchants and service providers may already be feeling the pressure to transition to PCI DSS v3, which became effective on 1 January 2014 and will become mandatory on 1 January 2015.
Changes are made to the PCI standards every three years, based on feedback from the PCI Security Standards Council’s (PCI SSC) global constituents as part of the PCI DSS and PA-DSS development lifecycle, and in response to market needs. This means that, every time a new version is published, it is generally expected that there will be improvements.
So, the question arises: is PCI DSS v3 better than its predecessor?
Experts say that PCI DSS v3 goes beyond compliance and some of the changes have helped put things into context for those who need to comply. The new version gives merchants a more detailed explanation of its requirements and the ways of meeting them, providing a more effective approach and making the process easier for all involved.
Some changes that are considered significant improvements include:
Better response to cyber threats
Req. 5.1.2 mandates the need to ‘evaluate evolving malware threats for any systems not considered to be commonly affected’.
Taking into account the fact that the threat to cardholder data is continually evolving, this requirement aims to ensure that organisations review threats and that these are incorporated into the controls.
Increased staff awareness
Employees directly involved in the payment chain – such as cashiers, waiters, and bank tellers – are most often responsible for internal breaches. New requirements on providing point-of-sale security training and education will improve the security of card transactions.
Troy Leach, CTO at the PCI SSC, said in an interview back in November 2013:
“The No. 1 thing to work on is the need to be aware of security throughout the organization and to educate across the enterprise so that everyone shares the responsibility to protect cardholder data. The technology evolves, but the people and processes inside the organization remain the same. So we need ongoing awareness about accepting and storing cardholder data so that we can come together as a community to ensure the security and safety of that data.”
Security as a shared responsibility
Changes to req. 12.8.5 and the introduction of req. 12.9 will help resolve shortfalls in compliance. This is achieved by ensuring that the point at which the responsibility for protecting cardholder details transfers from the merchant to the service provider is recorded and agreed, reducing misunderstandings.
Bob Russo, general manager of the PCI SSC, said in an interview:
“We want to increase education and awareness, and we want to be more flexible. And especially for smaller merchants that outsource many of their applications, we want to stress that security is a shared responsibility, even if a third-party is doing data storage for you.”
Enhanced testing procedures
Requirements 11.3 and 11.3.4 mandate implementing a methodology for penetration testing. If segmentation is used to isolate the cardholder data environment from other networks, perform penetration tests to verify that the segmentation methods are operational and effective.
With ever-evolving cyber attacks, regular security testing of systems and processes is going to be critical. The importance of regular testing is highlighted by Verizon’s 2014 Data Breach Investigations Report, which found that the majority of organisations that suffered a data breach weren’t compliant with requirement 11.
Until 30 June 2015, it is best practice to have a penetration testing methodology. After that point it will be mandatory.
Security as a part of everyday businesses processes
Finally, one of the biggest improvements, I believe, will require a change in mind-set: the new version really looks to encourage making PCI DSS part of everyday business processes, not just a box-ticking exercise.
Compliance is just one side of the coin, but security is what really matters to credit card holders.
If you need to comply with PCI DSS v3, consider the following resources:
This handy pocket guide, co-written by a qualified PCI QSA, provides all the information you will need when considering how to approach the PCI DSS, and is an ideal tool for awareness training for your PCI staff.
This one-day workshop is designed to provide delegates with the practical knowledge required to complete the new PCI DSS v3 Self-Assessment Questionnaires (SAQs) and ensure full compliance to PCI DSS v3 in 2015.