Card Data Standard 3.0 Launched - Information portal

Card Data Standard 3.0 Launched

(no votes)

18.11.2013 Количество просмотров 2904 views
card securityThe latest version of the Payment Card Industry’s Data Security Standard (PCI DSS) has been published by the PCI Security Standards Council. Businesses handling payment card data must comply with it. Updates require organisations to show greater security, to achieve certification. The new standard will become effective on January 1, 2014. 

Briefly, the PCI SSC’s version 3.0 aims to make compliance with the standard part of ‘business as usual’. More of a focus is on security training; the aim, to have people understand that security is a shared responsibility. Significant is that the standard covers electronic, physical and personnel security, from passwords and malware to penetration testing and risk assessment of software development. For instance, there’s a requirement now for access control to sensitive areas for on-site personnel, including a process to authorise access, and revoke access at once when the staff member leaves the job. Staff responsible for data security ought to have information security training at least annually. 

The version 3.0 is available on the PCI SSC website. 

You can access the standards and detailed summary of changes from version 2.0 to version 3.0 at the PCI SSC website. 

Supporting documentation including updated Self-Assessment Questionnaires (SAQ), Attestations of Compliance (AOC) and Reporting Templates will be available in early 2014 once version 3.0 is effective. 
Derek Brink, vice president and research fellow, Aberdeen Group, said: “Over the course of several years now, the PCI Security Standards Council has done a laudable job at defining and evolving a cohesive set of standards, as well as at listening and adapting over time to the feedback from merchants, banks, payment processors, service providers, and technology providers. The stake-holders in the payment card community seem to be working to put security and compliance in the right relationship – i.e., that compliance does not drive security; compliance is the result of foundational security practices.” 

And Bob Russo, general manager, PCI SSC, said: “PCI Standards continue to provide a strong framework for payment card security. The core principles at work when we first published PCI DSS are still relevant today. Version 3.0 builds on these to address the feedback we’ve heard from our community and to help organisations make payment security good business practice – every day, all year round.” 


Paul Ayers, VP EMEA at data security product firm Vormetric said: “Typically, companies have approached PCI DSS as a type of ‘check box’ compliance activity where once a year they make sure they’re adhering to the stipulations of the standard. While it’s fair to say that you absolutely must comply with various legislation and standards like PCI DSS, and more rigorous mandates are welcomed, it is important to remember that by their nature these rules and regulations are fairly static, while the attack environment seeking to exploit payment card details is dynamic and constantly evolving. 

“While security is a shared responsibility and should be ingrained into day-to-day activities, a pertinent point raised in this latest version of the standard, data is incredibly vulnerable, and it cannot protect itself. The key to protection is looking beyond what is just regulatory. My advice is to take a proactive approach to information security. As we continue to see privileged account credentials being raided by cyber-criminals and people continuing to rely on weak passwords, the focus of protection needs to shift to defend the data itself from the outset.” 

Tripwire works retailers in the world on PCI compliance. Steve Hall, director of PCI solutions for Tripwire 

“The good news is PCI 3 includes new reporting templates with reporting guidance – the PCI community is definitely looking forward to this about. The bad news is the report on compliance format is still in development - they’re tentatively committed to have this released by March. This means that while the new standard takes effect on January 1, 2014, the QSA will not have any way to determine if they are testing the right procedures until March and they won’t be able to provide any reports until 90 days later. Even though V2 compliant vendors will have a one year grace period, this gap will is going to be a significant friction point between the standards body, merchants and service providers, and the QSAs.” 

Ross Brewer, vice president and managing director for international markets, LogRhythm , said: “Following a number of recent high profile data breaches, it couldn’t be a better time for the latest iteration of PCI to rear its head. There’s no doubt that cyber attacks are continuing to grow in sophistication and pose a very real, very serious threat to all businesses, not just those processing cardholder information. As a result, it’s become crucial that issues such as weak passwords, lack of authentication processes and inconsistent assessments are addressed – and regulated – to reflect this. That said, a lack of awareness and inadequate training on standards such as PCI is simply no longer acceptable. 

“A big concern is that organisations tend to view compliance as a one-off obligation, taking a check-box approach which leaves security a mere afterthought once certification has been achieved. This is simply unforgivable in this day and age, and indicates a clear lack of common sense – particularly when security breaches are reported so frequently and customer confidence continues to nosedive. Instead, security must be an ongoing, active process – which is where I welcome the introduction of security training and collaborative efforts as part of the new compliance requirements. 

“Awareness of PCI and other standards, as well as looking out for potential threats, is effectively the first line of defence against attacks – so if organisations drop the ball, even for just a second, they are opening themselves up to attack. By keeping a constant eye on all network activity, organisations can gain invaluable insight into their IT system and have traceable information should regulators ever require it. Such granular insight will also enable security teams to be alerted should anything abnormal or unauthorised occur. Pre-empting an attack is now key, because it really is becoming a case of when, not if, you will be targeted – even if you are ‘compliant’ on paper.” 
Source:  Professional Security


  from 14.03.2018 to 15.03.2018 5th International PLUS-Forum «Online & Offline Retail» 2018  
  from 30.05.2018 to 31.05.2018 9th International PLUS Forum «Cards, Payments and Mobile 2018»  
  All Events - only
the main news on the Market!