Last week, the PCI Council released version 3.0 of the PCI Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA-DSS). This most recent version is intended to help “make payment security part of their business-as-usual activities” by introducing more flexibility. Proposed changes for version 3.0 were released in August.
Overall updates to the standards include recommendations for making PCI DSS part of every day business processes, best practices for maintaining PCI DSS compliance, additional guidance built into the standard, and enhanced testing procedures. Several new requirements were added as well, including:
- 5.1.2 – evaluate evolving malware threats for any systems not considered to be commonly affected
- 8.2.3 – combine minimum password complexity and strength requirements into one
- 8.6 – where other authentication mechanisms like tokens, smart cards, certificates, etc., are used, these mechanisms must be linked to an individual account and ensure only the intended user can gain access
- 9.3 – control physical access to sensitive areas for onsite personnel
- 11.5.1 – implement a process to respond to alerts generated by the change-detection mechanism
- 12.8.5 – maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity
Best practices were also added, which will become requirements on July 1, 2015:
- 8.5.1 – use unique authentication credentials for each customer for service providers with remote access to customer premises
- 9.9 – protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution
- 11.3 and 11.3.4 – implement a methodology for penetration testing; if segmentation is used to isolate the cardholder data environment from other networks, perform penetration tests to verify that the segmentation methods are operational and effective
- 12.9 – for service providers, provide the written, agreement or acknowledgment to their customers as specified by 12.8.2.
Revisions to the PA-DSS include new requirements that payment application developers to verify the integrity of source code during the development process, that vendors incorporate risk assessment techniques into their software development process, and that applicable vendor personnel receive information security training at least annually.
Version 3.0 becomes effective January 1, 2014. Version 2.0 remain in use until the end of 2014 to give organizations time to make the transition to the revised standards.