PCI-DSS v3.0 Standard
Today the Payment Card Industry (PCI) Security Standards
Council (PCI SSC)
published updated payment security standards PCI Data Security Standard
(PCI-DSS) version 3.0.
It comes with
new security requirements and guidance that aim to make electronic
payment infrastructure more secure. It places renewed emphasis on
education, awareness, continued security monitoring and clarifies the
rules that merchants
will need to comply with to be PCI-certified.
This version includes a number of additions and clarifications to
current requirements, general guidance that affects several
requirements or the overall PCI compliance process, and some
significant new requirements. The
new standards focus on making payment security part of organizations
and professionals “business-as-usual activities.” Version 3.0 of
the standards supports an underlying theme of education and awareness.
Ten new requirements have been introduced in PCI-DSS
v3.0, including rules for assessing malware threats and for requiring
service providers with remote access to card data to have unique
authentication credentials. Standards for managing employees'
physical access to financial information were also added.
Proper Malware Detection
One of the requirements that merchants will need to
comply with in 2013 is to have proper malware detection. A
requirement has been added to make sure that merchants and anyone
handling payment card data have a good risk management process in place
for handling malware.
The new requirement recognizes that threats are likely
to evolve, especially on systems not commonly affected by malware, and
merchants need to be diligent.
The new version 3.0 standard has an emphasis on
providing more flexibility for security controls to be met in different
and evolving ways, and that includes password complexity.
Previously PCI required passwords to be a
seven-character or greater, alpha-numeric combination. The new
version recognizes that there might now be other means to have an
equivalent type of value in the integrity of the authentication, so it
might not just be a password.
The emphasis on password security is one of the most important changes
in PCI DSS 3.0 because weak passwords have been a primary cause of
numerous card data breaches.
If segmentation is
used to isolate the cardholder data environment from other networks,
penetration tests must now verify that the segmentation methods are
operational and effective. The intent is for merchants to conduct
their own vulnerability assessments in addition to the existing
mandated quarterly assessments by an approved scanning vendor.
Other new requirements include:
- Service providers with remote access to customer
premises must use unique authentication credentials for each customer
- Where other authentication mechanisms are used, these
must be linked to an individual account and ensure only the intended
user can gain access
- Physical access to sensitive areas for onsite
personnel must include a process to authorize access, and revoke access
immediately upon termination
- Devices that capture payment card data via direct
physical interaction with the card must be protected from tampering and
- Implement a methodology for penetration testing; if
segmentation is used to isolate the cardholder data environment from
other networks, perform penetration tests to verify that the
segmentation methods are operational and effective
- Maintain information about which PCI DSS requirements
are managed by each service provider, and which are managed by the
Merchants have until January 1, 2014 before the requirements become
effective. In addition a number of new requirements will remain best
practices until July 1, 2015.
One of the new best practices that will not be required until 2015 is a
need for agreements between merchants and third-party service providers
about the responsibilities of protecting cardholder data.
Help with PCI-DSS
Do you need to have a risk assessment to see what you need to do to be
compliant with PCI-DSS v3.0? Do you need a proper malware risk
management process? Do you need continual security
monitoring? Do you need to perform internal penetration
testing? No worries—we’re here to help.
You can can access the standards and detailed summary of
changes from version 2.0 to version 3.0 at the PCI SSC website.
If you need assistance with a risk assessment, a risk
management process, security monitoring, or penetration testing, IT
Services can help. Please contact us.