17 Ağustos 2013 Cumartesi

Payment Card Industry (PCI) DSS Version 3.0 Change Highlights

Changes to PCI DSS and PA-DSS
Before introducing revisions to PCI DSS and PA-DSS the Council must weigh many considerations,

  • What will improve payment security? 
  • Global applicability and local market concerns 
  • Appropriate sunset dates for other standards or requirements 
  • Cost/benefit of changes to infrastructure 
  • Cumulative impact of any changes 

Based on feedback from the industry, in 2010 the Council moved from a two-year to a three-year
standards development lifecycle. The additional year provides a longer period to gather feedback and
more time for organizations to implement changes before a new version is released. Version 3.0 will
introduce more changes than Version 2.0. The core 12 security areas remain the same, but the updates
will include several new sub-requirements that did not exist previously. Recognizing that additional time
may be necessary to implement some of these sub-requirements, the Council will introduce future
implementation dates accordingly. This means until 1 July 2015 some of these sub-requirements will be
best practices only, to allow organizations more flexibility in planning for and adapting to these changes.
Additionally, while entities are encouraged to begin implementation of the new version of the Standards
as soon as possible, to ensure adequate time for the transition, Version 2.0 will remain active until 31
December 2014.

The nature of the changes reflects the growing maturity of the payment security industry since the
Council’s formation in 2006, and the strength of the PCI Standards as a framework for protecting
cardholder data. Cardholder data continues to be a target for criminals. Lack of education and awareness
around payment security and poor implementation and maintenance of the PCI Standards leads to many
of the security breaches happening today. The updates address these challenges by building in additional
guidance and clarification on the intent of the requirements and ways to meet them. Additionally, the
changes in PCI DSS and PA-DSS 3.0 focus on some of the most frequently seen threats and risks that
precipitate incidents of cardholder-data compromise. The updated standards will help organizations not
by making the requirements more prescriptive, but by adding more flexibility and guidance for integrating
card security into their business-as-usual activities. At the same time, the changes will provide increased
stringency for validating that these controls have been implemented properly, with more rigorous and
specific testing procedures that clarify the level of validation the assessor is expected to perform. Overall,
the changes are designed to give organizations a strong but flexible security architecture with principles
that can be applied to their unique technology, payment, and business environments.
The updated versions of PCI DSS and PA-DSS will:

  • Provide stronger focus on some of the greater risk areas in the threat environment 
  • Provide increased clarity on PCI DSS & PA-DSS requirements 
  • Build greater understanding on the intent of the requirements and how to apply them
  • Improve flexibility for all entities implementing, assessing, and building to the Standards
  • Drive more consistency among assessors
  • Help manage evolving risks / threats 
  • Align with changes in industry best practices 
  • Clarify scoping and reporting 
  • Eliminate redundant sub-requirements and consolidate documentation

Change Drivers
The PCI Standards are updated based on feedback from the industry, per the standards development
lifecycle as well as in response to current market needs. Common challenge areas and drivers for change

  • Lack of education and awareness
  • Weak passwords, authentication
  • Third-party security challenges
  • Slow self-detection, malware
  • Inconsistency in assessments

Key Themes
Changes planned for Version 3.0 are designed to help organizations take a proactive approach to protect
cardholder data that focuses on security, not compliance, and makes PCI DSS a business-as-usual
practice. Key themes emphasized throughout Version 3.0 include:

Education and awareness
Lack of education and awareness around payment security, coupled with poor implementation and
maintenance of the PCI Standards, gives rise to many of the security breaches happening today.
Updates to the standards are geared towards helping organizations better understand the intent of
requirements and how to properly implement and maintain controls across their business. Changes
to PCI DSS and PA-DSS will help drive education and build awareness internally and with business
partners and customers.

Increased flexibility 
Changes in PCI DSS and PA-DSS 3.0 focus on some of the most frequently seen risks that lead to
incidents of cardholder data compromise—such as weak passwords and authentication methods,
malware, and poor self-detection—providing added flexibility on ways to meet the requirements. This
will enable organizations to take a more customized approach to addressing and mitigating common
risks and problem areas. At the same time, more rigorous testing procedures for validating proper
implementation of requirements will help organizations drive and maintain controls across their

Security as a shared responsibility
Securing cardholder data is a shared responsibility. Today’s payment environment has become ever
more complex, creating multiple points of access to cardholder data. Changes introduced with PCI
DSS and PA-DSS focus on helping organizations understand their entities’ PCI DSS responsibilities

when working with different business partners to ensure cardholder data security


Hiç yorum yok:

Yorum Gönder