The Payment Card Industry (PCI) Security Standards Council (PCI SSC) published the updated payment security standards PCI Data Security Standard (PCI-DSS) version 3.0.
It comes with new security requirements and guidance that aim to make electronic payment infrastructure more secure. It places renewed emphasis on education, awareness, continued security monitoring and clarifies the rules that merchants will need to comply with to be PCI-certified.
This version includes a number of additions and clarifications to current requirements, general guidance that affects several requirements or the overall PCI compliance process, and some significant new requirements. The new standards focus on making payment security part of organizations and professionals “business-as-usual activities.” Version 3.0 of the standards supports an underlying theme of education and awareness.
Ten new requirements have been introduced in PCI-DSS v3.0, including rules for assessing malware threats and for requiring service providers with remote access to card data to have unique authentication credentials. Standards for managing employees' physical access to financial information were also added.
Proper Malware Detection
One of the requirements that merchants will need to comply with in 2013 is to have proper malware detection. A requirement has been added to make sure that merchants and anyone handling payment card data have a good risk management process in place for handling malware.
The new requirement recognizes that threats are likely to evolve, especially on systems not commonly affected by malware, and merchants need to be diligent.
The new version 3.0 standard has an emphasis on providing more flexibility for security controls to be met in different and evolving ways, and that includes password complexity.
Previously PCI required passwords to be a seven-character or greater, alpha-numeric combination. The new version recognizes that there might now be other means to have an equivalent type of value in the integrity of the authentication, so it might not just be a password.
The emphasis on password security is one of the most important changes in PCI DSS 3.0 because weak passwords have been a primary cause of numerous card data breaches.
If segmentation is used to isolate the cardholder data environment from other networks, penetration tests must now verify that the segmentation methods are operational and effective. The intent is for merchants to conduct their own vulnerability assessments in addition to the existing mandated quarterly assessments by an approved scanning vendor.
Other new requirements include:
Merchants have until January 1, 2014 before the requirements become effective. In addition a number of new requirements will remain best practices until July 1, 2015.
One of the new best practices that will not be required until 2015 is a need for agreements between merchants and third-party service providers about the responsibilities of protecting cardholder data.
Help with PCI-DSS Compliance
Do you need to have a risk assessment to see what you need to do to be compliant with PCI-DSS v3.0? Do you need a proper malware risk management process? Do you need continual security monitoring? Do you need to perform internal penetration testing? No worries—we’re here to help.