CONTINUE TO SITE »
or wait 15 seconds

News

PCI Council previews update to standards

August 21, 2013

The PCI Security Standards Council, an open, global forum for the development of payment card security standards has published "PCI Data Security Standard and Payment Application Data Security Standard 3.0 Change Highlights" as a preview of the new version of the standards to be released in November.

According to a news release from PCI SSC, the changes will help companies make PCI DSS part of their business-as-usual activities by introducing more flexibility, and increasing the focus on education, awareness and security as a shared responsibility.

Key drivers for version 3.0 updates include:

  • lack of education and awareness;
  • weak passwords and authentication challenges;
  • third-party security challenges;
  • slow self-detection in response to malware and other threats; and
  • inconsistency in assessments.

"Today, most organizations have a good understanding of PCI DSS and its importance in securing card data, but implementation and maintenance remains a struggle — especially in light of increasingly complex business and technology environments," said Bob Russo, PCI SSC general manager. "The challenge for us now is providing the right balance of flexibility, rigor and consistency within the standards to help organizations make payment security business-as-usual. And that's the focus of the changes we're making with version 3.0."

Version 3.0 will introduce more changes than version 2.0, with several new sub-requirements. Proposed updates include:

  • recommendations on making PCI DSS business-as-usual, plus best practices for maintaining PCI DSS compliance;
  • security policy and operational procedures built into each requirement;
  • guidance for all requirements with content from Navigating PCI DSS Guide;
  • increased flexibility and education around password strength and complexity;
  • new requirements for point-of-sale terminal security;
  • more robust requirements for penetration testing and validating segmentation;
  • considerations for cardholder data in memory;
  • enhanced testing procedures to clarify the level of validation expected for each requirement;
  • expanded software development lifecycle security requirements for PA-DSS application vendors, including threat modeling.

Updates are still under review by the PCI community; final changes will be determined after the PCI Community Meetings in September and October. Changes will be incorporated into the final versions of the PCI DSS and PA-DSS, which will be published in November.

"PCI Data Security Standard and Payment Application Data Security Standard 3.0 Change Highlights," including tables of anticipated updates is available at the PCI SSC website.

Additionally, the council will host a webinar series to outline the proposed changes. Participants are invited to register online. visit: 

PCI DSS and PA-DSS 3.0 will be published on Nov. 7. The standards become effective on Jan. 1, 2014, but to ensure adequate time for the transition, version 2.0 will remain active until Dec. 31, 2014.

Read more about security.

Related Media

Security
Examining biggest ATM security issues and 4 strategies to prevent them
Security
Banking privacy: 5 benefits for banks, customers
Security
Protecting an ATM's hardware, software by slowing down criminals
On-Demand Webinar
A Masterclass in ATM Security: Global Best Practices and Trends
Presented by Diebold Nixdorf
Recent Posts
SEC accuses former ATM businessman Daryl Heller of funneling $185M from investors
Fifth Third named as top veteran friendly employer
DC AG sues Bitcoin ATM operator Athena Bitcoin for allegedly exploiting scam victims
NCR Atleos earns #5 rank in fintech rankings
SEC to revamp cryptocurrency policies amid Trump's pro crypto push


©2025 Networld Media Group, LLC. All rights reserved.
b'S2-NEW'