The PCI Security Standards Council is set to officially release its third iteration of PCI DSS in two days on November 7, and the new version features numerous changes. In an effort to help organizations prepare for the upcoming alterations, the council recently released a document highlighting what to expect in version 3.0.
According to the document, when developing version 3.0, the council considered pressing factors such as what initiatives will improve payment security, the cost and benefits of infrastructure adaptations, how the changes will impact organizations, and global market concerns. Let’s look at what new provisions have emerged in PCI DSS 3.0.
What’s New With PCI DSS 3.0?
There are several new sub-requirements and numerous updates to version 3.0, including three key themes that are focused on education and awareness, boosted flexibility, and a shared responsibility approach to security.
“It’s about making PCI compliance part of your business, not a once-a-year, study-for-the-test kind of thing,” Bob Russo, general manager of the PCI SSC, said in a recent interview with SearchSecurity, TechTarget reported. “But there are a lot of things that are new or have changed, so to that end, we want to center it around education and awareness, and make sure people understand what the focus is.”
ComputerWeekly explained that education has been brought into the new standard more thoroughly, with more emphasis on training staff to ensure that everyone understands the value and importance of good security practices, including setting ideal passwords that can prevent tampering. These changes are intended to reduce risks such as a privileged user’s account being compromised.
“We are also allowing merchants to use pass phrases instead of a password to try and improve security, but at the same time make it easier to remember without sticking notes on the computer screen,” said Jeremy Kind, European Director of the PCI Security Standards Council, to the source. He later stressed the importance of taking compliance beyond IT, commenting, “Although PCI DSS involves a lot of IT and IT input, it is not only a job for the IT director. It does need the buy-in from everybody in the organization. If we can get the C-level staff involved and understand that this is a change of mindset, that will help improve the overall security.”
In a recent article for TechTarget, Qualified Security Assessor (QSA) Steven Weil explained the new challenges and advantages that version 3.0 will bring. It is important to realize that the fundamental PCI requirements have not changed, although the new version will clarify a few points of PCI 2.0. Weil suggested that new PCI assessments will be similar to those conducted under the guidance of 2.0, with an added focus on transparency and consistency.
Weil also highlighted which new requirements organizations need to be specifically prepared for, emphasizing the additional controls applied to point-of-sale devices to prevent tampering.
“To meet these new requirements, many organizations will need to develop and implement new POS security processes, such as maintaining up-to-date inventories, performing periodic POS inspections and providing employee training about POS security; QSAs will expect all such processes to be thoroughly documented and regularly performed,” Weil wrote.
Another point that Weil addressed was the new requirement for risk assessments. While organizations were only required to perform an annual assessment of cardholder data environments (CDE) with 2.0, 3.0 will require more frequent risk assessments every time CDE undergo significant changes. Weil noted that there will likely be significant debate over what exactly constitutes significant change, however, which emphasizes the need for organizations to closely evaluate any changes to IT systems that handle payment card data.