PCI Standards Revised With Strong Focus on Improving Security
Companies that handle credit and debit card data will have to comply with additional Payment Card Industry standards when PCI 3.0 is released in November.Businesses that process and store credit- and debit-card information got a preview of the latest planned requirements when the Payment Card Industry Security Standards Council (PCI SSC) released a draft of the third edition of its security rules. The new PCI Data Security Standards (PCI DSS) focus on improving worker education, strengthening passwords by allowing other authentication mechanisms, improving security requirements for third-party providers and speeding detection of malware and other threats, the PCI SSC stated in a release announcing the changes. Because many companies have had problems complying with existing standards, the council has added flexibility in the ways that firms can satisfy the requirements. "Today, most organizations have a good understanding of PCI DSS and its importance in securing card data, but implementation and maintenance remains a struggle—especially in light of increasingly complex business and technology environments," Bob Russo, general manager of the PCI SSC, said in a statement. "The challenge for us now is providing the right balance of flexibility, rigor and consistency within the standards to help organizations make payment security business as usual." PCI DSS is a set of requirements mandated by credit-card companies for any merchant that handles payment data. While tens of thousands of companies must abide by the standards, many businesses do the minimum necessary to comply with the rules. In 91 percent of breaches, for example, the victim takes more than a month to detect the compromise, according to security-services firm Trustwave's 2013 Global Security Report. By then, the data has already been exfiltrated by the attacker.
The PCI SSC aims to make the standards more about security and less about compliance, said Torsten George, vice president of products and support for Agiliance, a risk-management firm.