Version 3.0 of the PCI Data Security Standard (PCI DSS) has now become mandatory, with a mission to make cardholder data more secure by encouraging firms to focus on user education and giving them greater flexibility to choose the best approach.
The latest version of the industry standard was first introduced back in November 2013, but then had to undergo various rounds of feedback as part of the ‘development cycle’ before v2.0 was finally retired on 31 December 2014.
Given the high volume of major data breaches last year – especially targeted at POS systems in the US – it seems to have come not a moment too soon.
The PCI Security Standards Council (SSC) has said that the new version of its flagship security framework will provide new requirements on password education for users and POS security training and education.
It will also recognize that individual firms should have the flexibility to choose the right security approach to fit their risk management strategy – specifically when it comes to implementing password strength and prioritizing log reviews.
Finally, there will be more guidance on outsourcing PCI DSS responsibilities – an important addition given that almost two-thirds of investigations found a third party to blame for security deficiencies.
PCI DSS v3.0 aims to encourage organizations to wrap payment security into everything they do by taking a ‘business-as-usual’ approach.
It will require a defense-in-depth strategy with continuous monitoring of controls and regular assessment of new threats to stay on top of new risk.
Piers Wilson, head of product management at Tier-3 Huntsman, argued that organizations which take a check-box approach to compliance, fulfilling only the bare minimum requirements, are doing PCI DSS wrong.
“This is a false economy: not only do regulations evolve and update, as we are seeing, but also attackers do not stand still – the security challenges that version 3.0 of PCI-DSS is designed to address will either grow or change over time too,” he told Infosecurity.
“As a result, organizations need to ensure that not only are they compliant, but that the tools and techniques they are using are in line with agreed best practice and future-proof.”