Anticipated changes to the standard for payment card security have been announced and PCI Security Standards Council have issued some guidelines ahead of the final changes to help merchants get ahead y reviewing and understanding the changes ahead of their implementation. The revised standard (Version 3.0) is due to come come out in November
According to the Change Highlight Document, the updated version of PCI-DSS and PA- DSS will;
- Provide stronger focus on some of the greater risks in the threat environment
- Provide increased clarity on PCI-DSS & PA-DSS requirements
- Build greater understanding on the intent of the requirements and how to apply them
- Improve flexibility for all the entities implementing, assessing and building to the Standards
- Drive more consistency among assessors
- Help manage evolving risks/threats
- Align with changes in industry best practices
- Clarify scoping and reporting
- Eliminate redundant sub requirements and consolidate documentation
Key themes for the new version include
Education & Awareness – to help drive education and build awareness internally and with business partners and customers.
Increased Flexibility – Enabling organisations to take a more flexible approach on meeting requirements in common risk areas such as weak passwords, malware and poor authentication methods.
Security as a Shared Responsibility – Changes introduced to help organisations understand their entities’ PCI-DSS responsibilities when working with different business partners to ensure cardholder data security.
The PCI -DSS and PA-DSS are bult in a way that their principles can be applied to a variety of cardholder data environments, such as mobile or cloud. The PCI Special Interest Group issues separate and specific guidance for mobile via the PCI SSC Website (Mobile Payment Acceptance Security Guidelines for Merchants).