The Payment Card Industry Data Security Standard (PCI-DSS) 3.0 is now officially a global standard and with it comes a host of new security requirements and guidance that aim to make electronic payment infrastructure more secure.
Bob Russo, Payment Card Industry Security Standards Council (PCI SSC) general manager, told eWEEK that over the last few months as his organization has been discussing the new standard with its members, the response has been very positive. The PCI SSC started to publicly promote and discuss the new PCI-DSS 3.0 standard in August. The new standard places renewed emphasis on continued security monitoring and clarifies the rules that merchants will need to comply with to be PCI-certified.
“A lot of companies are already doing most of what’s in PCI-DSS 3.0 as there really isn’t very much that is actually different in many areas,” Russo said. “It’s a lot of re-emphasis in the areas that merchants need to make commonplace, rather than just treating security compliance as a once-a-year event.”
That said, there are some items that Russo expects will cause merchants some angst, as more work will be required. Most of those new areas that require more work are initially being labeled as best practices by the PCI-DSS 3.0 standard and are not required for full certification until Jan. 15, 2015.
One of the new best practices that will not be required until 2015, Troy Leach, CTO of PCI SSC, told eWEEK, is a need for agreements between merchants and third-party service providers about the responsibilities of protecting cardholder data.
Another area that will be an initial best practice is requirement 9.9, which stipulates further requirements around the inspection of physical security and protection for payment terminals.
Proper Malware Detection
One of the requirements in PCI-DSS 3.0 that merchants will need to comply with in 2013 is to have proper malware detection. Requirement 5.1.2 has been added to make sure that merchants and anyone handling payment card data have a good risk management process in place for handling malware.
“In the past, a merchant might have said they had a mainframe or were using Linux and they couldn’t put antivirus software on the system as there are few, if any, Linux viruses,” Leach said.
The new 5.1.2 requirement recognizes that threats are likely to evolve and merchants need to be diligent, he said.
“It’s not just that the PCI standard explicitly says that a merchant should or shouldn’t install anti-malware; it’s more about making sure there is a malware risk management process in place,” Leach said.
Throughout the PCI-DSS 3.0 standard, there is an emphasis on providing more flexibility for security controls to be met in different and evolving ways, and that includes password complexity, according to Leach.
“Previously, the language in PCI was that passwords needed to be a seven-character or greater, alpha-numeric combination,” Leach said. “We recognized that there might now be other means to have an equivalent type of value in the integrity of the authentication, so it might not just be a password; merchants could also use a passphrase.”
PCI-DSS 3.0 is now an official standard, and it becomes effective for implementation in January 2014, according to Russo. There was a three-year time span between the PCI-DSS 2.0 standard and 3.0, he said, and it will likely be another three years until PCI-DSS 4.0 comes out.
That doesn’t mean the standard is standing still for the next three years. Russo said that errata documents are likely to be published, as well as additional documentations and frequently asked questions (FAQs) about the certain requirements.
The goal of PCI-DSS is to secure the payment card industry, and Russo said that a key metric for the success of the PCI-DSS 3.0 standard will be a reduction in data breaches.
“If we happen to see a large data breach, we will immediately look to see if there is something in the standard that needs to be addressed, or something new that we need to add,” Russo said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.