Since 2004, the VISA, MasterCard, Discover, American Express and JCB driven Payment Card Industry – Data Security Standard (PCI-DSS) has encouraged the proper storage, processing, and transmission of credit card data. As the industry prepares for the next rendition, PCI DSS 3.0 due out later this year, this blog will review the material likely changes.
PCI-DSS updates use a three year cycle, providing time for review, comment, update, and adoption. PCI-DSS 3.0 categorizes changes as 1) clarifications toexisting requirements, 2) additional guidance for conforming to existing requirements, and 3) evolving or new requirements. PCI-DSS introduces many changes, but several themes emerge: a) “business as usual” approach, b) enhanced vendor management programs, c) improved secure coding practices, d) improved training and awareness and, e) operational changes. We will visit each in greater detail.
Security Should be Business as Usual
Business as usual hopes to entice PCI practitioners to view safeguarding credit card data as a data protection program, not a compliance activity. If successful, protecting cardholder data becomes part of the business model, not just activity a few weeks before the audit.
Service providers, it is broadly believed, are often the cause of data loss. DSS 3.0 includes enhanced 3rd party service provider due diligence and additional responsibilities for those vendors. Requiring additional security controls is hoped tohave a favorable effect on data breaches.
Secure Coding Practices
Secure coding practices continues to be an industry challenge. DSS 3.0 adds additional measures, such as restrictions on PAN/SAD data “stored” in memory, and separation of duty for developers.
Training and Awareness
Compliance programs will further leverage training and awareness. These education activities will include ongoing communications – emphasizing the “business as usual” paradigm. For example, weak default passwords continues to plague the industry, thus awareness around password length and complexity.
Operational changes will include ongoing business as usual control set validation, controls like more robust pentesting, enhanced logging requirements, and ongoing visual inspection of tamper resistant POS devices.
The new requirements themselves will not make cardholder data more secure. However, continued enforcement and adoption will result in more robust and effective data security programs. Ideally the industry will see DSS 3.0 not as more onerous compliance requirements, but as security program enhancements needed to better protect consumers’ credit card information.
To learn about all of the changes PCI-SSC will be introducing: https://www.pcisecuritystandards.org/documents/DSS_and_PA-DSS_Change_Highlights.pdf