alphaspirit - Fotolia
The first version of the Payment Card Industry Data Security Standard (PCI DSS) was released in 2004 and was designed as a way to improve cardholder information security and prevent fraud. Since its release more than a decade ago, however, critics have argued that PCI DSS is little more than an expensive compliance checklist.
The third version of the PCI DSS standard went into effect Jan. 1, 2015, and attempts to address the criticism by focusing on ways to make cardholder security part of "business as usual." Generally, changes that came with the release of PCI DSS version 3.0 focus on enhancing education and awareness, making the standard more flexible and clarifying third parties' compliance responsibilities.
This FAQ is part of SearchCompliance's IT Compliance FAQ series.
What types of businesses will be affected by the changes made in PCI DSS version 3.0?
PCI DSS v3 brings a new category of merchants into the compliance regime: Online retailers that redirect payments to a third party, even without having contact with cardholder data themselves, will now have to undergo compliance audits.
As with previous versions of the standard, organizations that deal with credit cards from major brands --including Visa, MasterCard, American Express, Discover and JCB -- are required to meet PCI DSS 3.0 compliance requirements.
The latest version also clarifies PCI DSS applicability to payment application vendors. All organizations that store, process or transmit cardholder data or sensitive authentication data must meet PCI DSS version 3.0 requirements, including merchants, service providers, payment processors, issuing banks and acquiring banks.
What are the general differences between the second and third versions of PCI DSS?
To make employees more aware of their role in preventing cardholder data breaches, PCI DSS version 3.0 provides best practices to incorporate security into regular business activities. PCI DSS 3.0 requires password education for users, as well as point-of-sale security training and education. It also gives organizations greater flexibility when implementing appropriate password strengths and in prioritizing log reviews to help ensure they are compatible with their own security and risk management strategies. To help organizations better understand PCI DSS version 3.0, it includes a detailed description of the intent behind each requirement.
Version 3.0 also addresses the problem of security vulnerabilities that can be introduced via third parties. According to the 2013 Trustwave Global Security Report used by the PCI Security Standard Council, 63% of investigations that turn up an easily exploited security deficiency show a third party involved in supporting, developing or maintaining the system. Version 3.0 offers guidelines on outsourcing PCI DSS responsibilities and outlines the outsourcer's security requirements (Req. 12.9). PCI DSS v3 also requires organizations to maintain records stating which requirements are managed by each service provider and which are managed by the organization itself (Req. 12.8.5).
What changes were made in the PCI DSS version 3.0 to strengthen access controls?
The third version of PCI DSS includes several changes regarding access control measures and restricting physical access to cardholder data. Service providers with remote access to customer premises must use unique authentication credentials for each customer (Req. 8.5.1). In addition, other authentication mechanisms such as security tokens, smart cards or certificates, must be linked to an individual account that can only be accessed by the intended user (Req. 8.6).
Areas where cardholder data can be accessed on site must be controlled using an access authorization process, and there must be immediate access revocation of these access privileges upon termination (Req. 9.3). It will also soon be required that devices that capture payment card data be protected from tampering and substitution, but this regulation does not go into effect until July 1.
What changes were made in the PCI DSS version 3.0 to improve access tracking and monitoring, and to improve systems and processes testing?
PCI DSS 3.0 enhances tracking requirements to include changes to identification and authentication mechanisms, as well as changes, additions and deletions to accounts with root or administrative access (Req. 10.2.5). Organizations are now required to keep an inventory of authorized wireless access points and a business justification to support scanning for unauthorized wireless devices (Req. 11.1.1). If unauthorized wireless access points are detected, an organization must align incident response procedures with an already-existing testing procedure (Req. 11.1.2). Implementing a methodology for penetration testing will also be a requirement later this year, but does not go into effect until July 1.
If an organization uses segmentation to isolate the cardholder environment from other networks, it is required to perform penetration tests to verify that the segmentation methods are operational and effective (Req. 11.3.4). Also, there must be a process to respond to alerts from change-detection mechanisms (Req. 11.5.1).
What changes were made in the PCI DSS Version 3.0 to address emerging threats?
The latest version of PCI DSS includes a number of new and enhanced requirements for organizations to deal with emerging malware threats. Organizations must maintain a network diagram that includes cardholder data flows and an inventory of system components in scope for PCI DSS to support development of configuration standards (Req. 2.4). They must also evaluate evolving malware threats for systems that are not considered commonly affected by malware (Req. 5.1.2). Finally, beginning July 1, they must implement coding practices to protect against broken authentication and session management (Req. 6.5.10).
What guidance, apart from the new requirements, is offered in the PCI DSS version 3.0?
PCI DSS version 3.0 includes new guidance to help organizations determine the scope of their compliance assessments. It offers examples of system components, and it clarifies the intent of segmentation and third-party responsibilities. It also clarifies what evidence third parties have to give customers to verify the third party's scope of PCI DSS compliance. In addition, version 3.0 adds a new section with recommendations for implementing security into business-as-usual activities.
FCC proposals spark net neutrality controversy
FTC targets data privacy and security improvements
'Heartbleed' OpenSSL flaw exposes security vulnerabilities
SEC rule development, enforcement continues to evolve
Consumer security in the spotlight after Target data breach