PCI Council previews changes to data security standards
The PCI Security Standards Council is giving merchants a first look at changes that could be introduced later this year to its credit card data and payment application security guidelines.
The council released the seven-page '3.0 Change Highlights' document on Thursday, which is a preview to the updated PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA DSS), which are set to be published on 7th November.
The standards, which undergo revisions every three years, were developed to help ensure that customer card data is protected by merchants that store, transmit and process it.
Expected changes in version 3.0 include a new requirement for merchants to draw up a current diagram showing how cardholder data flows through organisations' systems.
In addition, the new version will contain guidance around protecting point-of-sale (POS) terminals and devices from threats such as tampering, malware and insiders. Another addition being considered for version 3.0 is an educational explanation of why each of the 12 core security requirements has been included in the standard and how they help organisations mitigate specific threats.
Bob Russo, the PCI council's general manager, told SCMagazine.com on Wednesday that the possible amendments – which also include giving merchants more flexibility in password authentication options – are meant make the guidelines easier to implement on a day-to-day basis.
"In our mind, we need to make this more of a business-as-usual type of thing, instead of you study to pass the test once a year,” Russo said. “We have the same core 12 standards, but we have incorporated things to make this part of their everyday [operations]."
The updated PA DSS, which was introduced by the council in 2008, is likely to include additional procedures for software developers who build programs that process credit card payments, including rules on managing the full lifecycle of the software and requirements for developer education.
There have been differing opinions in the security community, and among merchants, on whether PCI DSS is a burden or benefit to those expected to comply. Organisations often cite implementation, audit costs, dealing with legacy systems and overcoming confusion over what is required as prime challenges.
Meanwhile, there are questions over whether the banks and the card brands are taking on enough of the risk.
In one landmark case, a merchant is in the midst of a court battle to recoup $13 million in fines levied against it after a 2010 breach. Per its merchant contracts, US, Tennessee-based sportswear company Genesco compensated its acquiring banks, Wells Fargo and Fifth Third, for the fine amount. Genesco then filed a lawsuit against Visa, which levied the penalty, to recoup that amount.
Visa imposed the penalties on the banks, which passed them down to Genesco, for non-compliance of PCI DSS that allegedly led to the breach. In a complaint, filed in a United States District Court in Nashville, Genesco said that Visa “had no reasonable basis for concluding that Genesco was non-compliant with the PCI DSS requirement at the time of the intrusion or at any other relevant time".
Late last month, Visa lost a motion to dismiss the suit.
The proposed changes to PCI DSS and PA DSS are expected to come in November, after drafts are discussed at the council's community meetings in September and October.
The new standards will become effective from 1st January 2014.
According to Visa statistics, as of 31st December 2012, 95 per cent of Level 1 merchants, which are those companies that process greater than six million transactions annually, have validated PCI DSS compliance. Level 2 merchants, which process between one and six million transactions, have achieved a 90 per cent rate. Level 3 merchants, which process between 20,000 and one million transactions, are at 55 per cent.