PCI-DSS 3.0 Security Compliance Gets Stronger

By Sean Michael Kerner  |  Posted 2013-08-15 Print this article Print

In previous versions of the standard, there has always been two columns that explain a given security control requirement. The first column identifies the requirement, and the second column details the testing procedures. With the PCI-DSS 3.0 standard, there will now be a third column, in which, Leach explained, the standard will aim to provide real-life examples of the risks that the security control is trying to mitigate.

For example, with a WAF, the new standard will explain what that technology should be able to do as well as detail the types of risks that it helps to mitigate.


One key area of change in the PCI-DSS 3.0 standard has to do with passwords. PCI SCC has done some research into password strength over the last three years, which helped inform the new requirements.

"Passphrases can have equivalent strength to short alphanumeric passwords," Leach said.

With a passphrase, a phrase (e.g., "johnny walked the dog") is used including spaces as an alternative to single password. There is still a requirement in the new standard that at the minimum, passwords need to be seven characters and alphanumeric, but there is also the option to now use a passphrase as an alternative.


A key area of concern in recent years with PCI-DSS has been its applicability to cloud environments. Simply put, it's not enough for a merchant to host its operations on a PCI-DSS-compliant cloud and expect to be safe.

Leach stressed that in the PCI-DSS 3.0 standard there is an emphasis on the theme of shared responsibility. That is, the merchant and the cloud provider need to work together and have agreements in place so that areas of responsibility are understood.


The PCI-DSS 3.0 standard is currently in its final phases of development. PCI SCC will have a series of community meetings over the next several months to further refine and tweak the specification, according to Russo. The final standard will be published in November and will then become effective on Jan. 1, 2014.

Although PCI-DSS 3.0 becomes effective in January, existing PCI-DSS 2.0-compliant vendors will have a one-year grace period to move to the new standard.

"The changes we are making in the new standard were based on feedback we received and the challenges we see," Russo said. "We believe we are now making the standard stronger."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel