Is PCI DSS version 3.0 just another version of the Standard or a new weapon in the fight against global cyber crime?

Commerce is widely affected by cyber crime. Cardholder data continues to be an attractive target for criminals, and the number of attacks exploiting security vulnerabilities is constantly increasing. Recognising that an effective response must adapt to the threat it faces, the PCI Security Standards Council (PCI SSC) revises its Payment Card Industry Standards (PCI DSS and PA-DSS) every three years based on industry feedback, as well as in response to current market needs. The evolving requirements of the standards ensure that they remain up to date with emerging threats, implementation and maintenance challenges, and market changes.

Challenge areas and change drivers

The PCI DSS applies to all organisations that process, store or transmit cardholder data, and industry feedback on the Standard comes to the PCI SSC from more than 700 Participating Organisations, including merchants, banks, processors, hardware and software developers, boards of advisors, point-of-sale vendors, and the assessment community. Ahead of the publication of version 3.0 of both standards in November 2013, the PCI SSC identified certain common challenge areas and drivers for change, which included:

  • lack of education and awareness;
  • weak passwords and authentication;
  • third-party security challenges;
  • slow self-detection and malware; and
  • inconsistency in assessments.

The updates introduced in version 3.0 address these challenges by adding guidance and clarification on the intentions of the Standard’s requirements, and suggest ways of meeting those requirements.

PCI DSS changes

Changes introduced in version 3.0 have been designed to help organisations take a more proactive approach to protecting cardholder data that focuses on security rather than compliance. The aim is to make the PCI DSS an everyday part of normal business practice. Key themes emphasised throughout version 3.0 include:

» Education and awareness

A lack of education about, and awareness of, payment security, coupled with poor implementation and maintenance of the PCI Standards, causes many of today’s common security breaches. Updates to the PCI Standards aim to help organisations understand the Standards’ requirements and how to implement and maintain controls properly across their businesses. Changes to both the PCI DSS and PA-DSS will help build awareness within the organisation as well as with business partners and customers.

» Increased flexibility

Changes in the PCI DSS and PA-DSS focus on the most common risks that lead to incidents of cardholder data compromise (such as weak passwords and authentication methods, malware, and poor self-detection), and provide added flexibility on ways in which organisations can meet the Standards’ requirements. Organisations will now be able to take a more customized approach to addressing and mitigating common risks and problem areas. More rigorous testing procedures for validating proper implementation of requirements will help organisations drive and maintain controls across their business.

»Security as a shared responsibility

Securing cardholder data is a shared responsibility. Today’s payment environment has become ever more complex, creating multiple points of access to cardholder data. Changes introduced with the PCI DSS and PA-DSS v3.0 focus on helping organisations understand their entities’ PCI DSS responsibilities when working with different business partners to ensure cardholder data security.

Summary

The updated versions of the PCI DSS and PA-DSS will:

  • provide stronger focus on some of the greater risk areas in the threat environment;
  • provide increased clarity on the PCI DSS and PA-DSS requirements;
  • build greater understanding on the intent of the requirements and how to apply them;
  • improve flexibility for all entities implementing, assessing, and building to the standards;
  • drive greater consistency among assessors;
  • help manage evolving risks and threats;
  • align with changes in industry best practices;
  • clarify scoping and reporting; and
  • eliminate redundant sub-requirements and consolidate documentation.

So, does this amount to just another update, or are the changes enough to have a real impact on the fight against cyber crime?

Attend our ISO27001:2013 and PCI DSS v3.0 event on 8 May at the Churchill War Rooms, London, to find out more about the change drivers and key themes of the new version of the PCI DSS (version 3.0).