For anyone taking electronic payments, the Payment Card Industry Data Security Standard (PCI-DSS) is a critical must-have compliance component in order to do business. Currently the standard is at the PCI-DSS 2.0 level. The new 3.0 standard is now in development, bringing with it policy and procedural changes that will impact the security of the entire electronic payment ecosystem.
"This new PCI-DSS 3.0 version will bring PCI into line as a business-as-usual activity," Bob Russo, Payment Card Industry Security Standards Council (PCI SSC) general manager, told eWEEK. "We want to try to get people out of the habit of thinking of PCI-DSS as a once a year event and then not thinking about it, because that's where we see the breaches happen."
PCI-DSS has sometimes been thought of as just a compliance activity, where a box indicating a point-in-time level of compliance is checked, after which they just move on. Russo stressed that in the new PCI-DSS 3.0 standard, there is an emphasis on education and policy, to make payment security an everyday item and a discipline that is always maintained.
Troy Leach, CTO of PCI SSC, explained to eWEEK that there is a real emphasis in the new standard on the process of making things secure. When it comes to PCI-DSS testing, the testing is now intended to make sure that the process is secure, rather than just making sure a company has a specific security technology in place.
"We have incorporated policy and ongoing risk assessment throughout the standard," Leach said.
What that does, especially in large organizations, is it helps to achieve more consistency around process-oriented controls. There is also more of an emphasis on having an ongoing responsibility that extends beyond just the point-in-time when a PCI-DSS audit takes place.
"The question that the new standard will help merchants to answer is, 'Do we have the culture to protect our customers' cardholder data every day and every hour that we're doing business?'" Leach said.
Although there is an emphasis in PCI-DSS 3.0 to think of the standard as more than just point-in-time compliance, the new standard does not in fact require greater audit frequency than the PCI-DSS 2.0 standard.
"There is no requirement for more reports than an annual validation, but that's just a snapshot in time," Leach said. "What we're hoping with this is that, through the process, there is more regularity of checking by the merchant as the environment changes."
One area where PCI-DSS has been criticized in the past is the lack of clarity around its provisions. For example, the standard might require an organization to deploy a Web Application Firewall (WAF), but has not always detailed the proper configuration of the firewall or even why it's needed in the first place. That's a criticism that the PCI SCC has heard loud and clear from its members and so is set to improve in the new standard.