PCI-DSS 3.0 Security Compliance Gets Stronger
A new version of the PCI-DSS has broad implications for how e-commerce is secured. The CEO and CTO of the PCI Security Standards Council explain what it's all about.For anyone taking electronic payments, the Payment Card Industry Data Security Standard (PCI-DSS) is a critical must-have compliance component in order to do business. Currently the standard is at the PCI-DSS 2.0 level. The new 3.0 standard is now in development, bringing with it policy and procedural changes that will impact the security of the entire electronic payment ecosystem. "This new PCI-DSS 3.0 version will bring PCI into line as a business-as-usual activity," Bob Russo, Payment Card Industry Security Standards Council (PCI SSC) general manager, told eWEEK. "We want to try to get people out of the habit of thinking of PCI-DSS as a once a year event and then not thinking about it, because that's where we see the breaches happen." PCI-DSS has sometimes been thought of as just a compliance activity, where a box indicating a point-in-time level of compliance is checked, after which they just move on. Russo stressed that in the new PCI-DSS 3.0 standard, there is an emphasis on education and policy, to make payment security an everyday item and a discipline that is always maintained. Troy Leach, CTO of PCI SSC, explained to eWEEK that there is a real emphasis in the new standard on the process of making things secure. When it comes to PCI-DSS testing, the testing is now intended to make sure that the process is secure, rather than just making sure a company has a specific security technology in place.
"We have incorporated policy and ongoing risk assessment throughout the standard," Leach said.