For many organizations that collect or process credit card data, complying with the Payment Card Industry Data Security Standard (PCI DSS) usually comes down to an annual compliance demonstration for auditors. But with the third version of the proprietary standard that was released Nov. 7, the PCI Security Standards Council is urging organizations to change gears and make PCI DSS compliance a constant state of affairs.
The PCI DSS compliance standard was originally developed in 2004 by the major credit card companies, and creates an "actionable framework" to help merchants, financial institutions, payment processors and third-party service providers develop payment card security strategies. The framework includes techniques for prevention, detection and response to security incidents. The PCI DSS compliance standard is updated every three years, and becomes more detailed and rigorous with each new release.
This FAQ is part of SearchCompliance's IT Compliance FAQ series.
What are the major differences between PCI DSS 2.0 and PCI DSS 3.0?
The third version of PCI DSS introduces about a dozen new compliance requirements. It also provides clarification and additional guidance for many existing requirements. With version 3.0, the PCI Security Standards Council emphasizes that security should be an integral part of everyday business not just for security professionals, but for all employees. Under PCI DSS 3.0, the council urges organizations to implement a "structured, predictable, and continuous approach" to security controls.
The council notes that massive breaches have occurred in recent years despite PCI DSS compliance guidelines, so version 3.0 enhances focus on employee education and awareness. Training employees not to facilitate breaches by choosing dumb passwords, falling for phishing scams or giving away company data on social networks is an essential part of this shared security responsibility.
Regular monitoring and testing of systems, procedures and devices is another major cornerstone of PCI DSS 3.0. Perhaps the most far-reaching change requires organizations to implement rigorous penetration testing of security systems and to regularly inspect point-of-sale devices.
What new requirements are included in PCI DSS 3.0?
Existing PCI DSS requirements were enhanced or clarified in version 3.0, and about a dozen new compliance requirements were added, including:
Req. 2.4: Maintain an inventory of system components in scope for PCI DSS to support development of configuration standards.
Req. 5.1.2: Evaluate evolving malware threats for any systems not considered to be commonly affected.
Req. 6.5.10: Establish coding practices to protect against broken authentication and session management.
Req. 8.2.3: Minimum password complexity and strength requirements are combined, and increased flexibility for alternatives is provided.
Req. 8.5: For service providers with remote access to customer premises, use unique authentication credentials for each customer.
Req. 8.6: Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.) these must be linked to an individual account and ensure only the intended user can gain access.
Req. 9.3: Control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination.
Req. 9.9: Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.
Req. 11.5.1: Implement a process to respond to any alerts generated by the change-detection mechanism.
Req. 12.8.5: Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.
Req. 12.9: For service providers, provide a written agreement/acknowledgment to their customers as specified.
Another hallmark of PCI DSS 3.0 is the requirement for more robust penetration testing of security controls. Under new requirements 11.3 and 11.3.4, organizations that segment cardholder data from other networks must deploy an industry-accepted penetration testing methodology to show that the segmentation is effective.
Will the latest requirements under PCI DSS 3.0 increase compliance costs?
Security experts are confident that merchants' compliance costs will increase under PCI DSS 3.0, largely because of the new penetration testing requirements. Under these new requirements, it is the merchants' responsibility to show that the methods used to segment cardholder data from other networks were effective.
Requirement 9.9 directs merchants to protect point-of-sale devices from tampering. For many businesses, this could create an added cost of regularly having systems inspected on-site. Requirement 2.4 requires them to maintain an inventory of all hardware and software in the cardholder data platform, which also could be a time-consuming process.
Generally, embedding security into everyday business through enhanced education and regular monitoring and testing will likely require additional time and resources from many organizations. Meeting new requirements for detecting malware and for responding to change-detection alerts, for example, could demand expanded resources.
How will the latest requirements under PCI DSS 3.0 affect service providers?
The PCI Security Standards Council notes that IT outsourcing remains popular, and PCI DSS 3.0 encompasses a number of significant new requirements for service providers. "Sixty-three percent of investigations identifying a security deficiency easily exploited by hackers revealed a third party responsible for system support, development or maintenance," according to the council.
For providers that have remote access to customer premises for delivering technical support, unique authentication credentials must be used for each customer. Providers also must give customers written agreements acknowledging which data they are responsible for protecting. Experts anticipate that providers will have to come up with more detailed contracts delineating compliance responsibilities. The goal is to clear up confusion among providers and their customers as to who is responsible for PCI DSS compliance.
More SearchCompliance FAQs
Can organizations fight federal surveillance information requests?
What is the Dodd-Frank Act swaps market call recording rule?
What are the SEC's rules for disclosing information via social media?
When do the PCI DSS 3.0 requirements go into effect?
PCI DSS 3.0 goes into effect Jan. 1, 2014, but businesses are given a year to implement the updated standard. Additional leeway is offered for complying with several of the more complex new requirements, including coding practices to protect against broken authentication and protecting POS devices against tampering.
Service providers also have until July 1, 2015, to meet requirements for using unique authentication credentials for each customer and for providing customers with written agreement/acknowledgment of responsibilities.
New penetration testing requirements are not effective until July 1, 2015, but the requirements under PCI DSS 2.0 must be followed until then.
This was first published in December 2013