New Payment Card Security Standards in 2014
New security requirements are coming for merchants, banks, and credit card payment processors. The new standards, set by the PCI Security Standards Council, are meant to protect the users of debit, credit, prepaid, ATM, and point of sale cards. Version 3.0 employs a more comprehensive approach built on the construct of “shared responsibility.” The new standard becomes effective January 1, 2014, but version 2.0 will remain active until December 31, 2014 so organizations have adequate time for the transition. Either way, change is on the horizon.
Merchants and service providers should review their Payment Card Industry Data Security Standard (PCI DSS) posture to prepare for version 3.0. Thematic changes in version 3.0 include:
- Greater emphasis on incorporating the security requirements as part of an overall security strategy and practices. Incorporating security into “business as usual” is intended to eliminate the “check box” mentality, so that security controls are implemented and monitored on an ongoing basis.
- A new shared responsibility for compliance between the entity and a service provider, including clear identification of roles and services provided. This means both the vendor and the merchant need be accountable to the standard.
- Expanded focus on understanding and documenting card holder data flow, PCI DSS policies and procedures, devices within the card holder data environment, and users who have access to the data.
- More rigorous technical testing, with specific guidance on the approach and execution of testing.
Three categories of changes
Changes to PCI DSS fall into three broad categories:
- Clarification — More concise wording in the standard to clarify meaning and intent.
- Additional guidance — These changes explain, define, and/or add instruction to increase understanding or provide further information and guidance on a specific topic.
- Evolving requirement changes — These changes help to ensure that the standards are up to date with emerging threats and changes in the market.
The new PCI DSS requirements include (but are not limited to) the updates in the following table.
|5.1.2||Evaluate evolving malware threats for systems not commonly considered to be affected|
|8.2.3||Combine minimum password complexity and strength requirements into one, and increase flexibility for alternatives|
|8.5.1||For service providers with remote access to customer premises, use unique authentication credentials for each customer|
|8.6||Authentication mechanisms (e.g., security tokens, smart cards, certificates) must be linked to an individual account to ensure only the intended user can gain access|
|9.3||Control physical access to sensitive areas by onsite personnel, including a process to authorize access (and revoke it immediately upon termination)|
|9.9||Protect devices that capture payment card data from physical tampering and substitution|
|11.3 and 11.4||Implement a methodology for penetration testing; if segmentation is used to isolate the cardholder data environment from other networks, penetration tests must verify that segmentation methods are operational and effective|
|11.5.1||Implement a process to respond to alerts generated by the change-detection mechanism|
|12.8.5||Maintain information about which PCI DSS requirements are managed by the service provider, and which are managed by the entity|
|12.9||For service providers, provide written agreement and acknowledgment to their customers|
What you need to do by January 1, 2015
Even if you're compliant with PCI DSS version 2.0, you must prepare for the updated standard. Take a close look at the version 3.0 changes and determine how your organization will bridge the gap from version 2.0 to version 3.0. Make a timeline to get there by January 1, 2015, and get help if you need it.