Businesses that process and store credit- and debit-card information got a preview of the latest planned requirements when the Payment Card Industry Security Standards Council (PCI SSC) released a draft of the third edition of its security rules.
The new PCI Data Security Standards (PCI DSS) focus on improving worker education, strengthening passwords by allowing other authentication mechanisms, improving security requirements for third-party providers and speeding detection of malware and other threats, the PCI SSC stated in a release announcing the changes. Because many companies have had problems complying with existing standards, the council has added flexibility in the ways that firms can satisfy the requirements.
"Today, most organizations have a good understanding of PCI DSS and its importance in securing card data, but implementation and maintenance remains a struggle—especially in light of increasingly complex business and technology environments," Bob Russo, general manager of the PCI SSC, said in a statement. "The challenge for us now is providing the right balance of flexibility, rigor and consistency within the standards to help organizations make payment security business as usual."
PCI DSS is a set of requirements mandated by credit-card companies for any merchant that handles payment data. While tens of thousands of companies must abide by the standards, many businesses do the minimum necessary to comply with the rules. In 91 percent of breaches, for example, the victim takes more than a month to detect the compromise, according to security-services firm Trustwave's 2013 Global Security Report. By then, the data has already been exfiltrated by the attacker.
The PCI SSC aims to make the standards more about security and less about compliance, said Torsten George, vice president of products and support for Agiliance, a risk-management firm.
"The changes will help companies further focus on risk rather than check-box compliance," he told eWEEK. "So check boxes are going to go out the window."
In addition, the changes will also assure merchants that their third-party suppliers are more secure, he said. The new data-security standards require that providers and their suppliers undergo more comprehensive tests of their defenses and implement secure development methodologies. In addition, companies will have to maintain lists of which of the PCI DSS requirements are the responsibility of the business and which are the responsibility of the provider, according to a comparison published by the PCI SSC online.
"This is a reaction to the fact that over the last 24 months, the real attacks have targeted the supplier as a back door," George said.
Other companies have seen the trend as well. In its Global Security Report, Trustwave found that 63 percent of breaches occurred in systems managed by third parties.
PCI DSS 3.0 is still a draft, and will be finalized in November, according to the PCI SSC. This is the first release following the council's move to longer periods between drafts, from a two-year release cycle to a three-year cycle.