Last month, the Payment Card Industry Security Standards Council (PCI Council) – an open global forum responsible for the development of payment card security standards - published version 3.0 of the PCI Data Security Standards (PCI DSS) and Payment Applications Data Security Standards (PA-DSS).
The PCI DSS apply to all entities that store, process or transmit cardholder data, including merchants, financial institutions and service providers. The PA-DSS are aimed at vendors/developers and integrators of payment applications that store, process or transmit cardholder data as part of authorisation or settlement (excluding applications developed for in-house use only). Compliance with both sets of standards is enforced by the major payment brands.
The standards are revised every three years and the latest version will take effect from January 1, 2014, although to ensure businesses have enough time to transition to the new standards, the current version 2 will remain active until December 31, 2014. Some of the new requirements in version 3.0 will have an even longer transition period, as they will be treated as "best practices" until July 2015.
The PCI wants to help businesses to incorporate payment security into their day-to-day activities. To achieve this, the revised standards incorporate best practices, new training and education requirements and, for some requirements, increased flexibility as to how compliance is achieved. Version 3.0 also extends the requirements for third party service providers that process, store or transmit cardholder data on behalf of another entity.
Some of the new requirements in version 3.0 of PCI DSS include:
- a combined requirement for minimum password complexity and strength and increased flexibility for alternatives (Req 8.2.3);
- a requirement for service providers with remote access to customer premises to use unique authentication credentials for each customer (Req 8.5.1);
- where other authentication mechanisms such as security tokens are used, these must be linked to an individual account with restricted access (Req 8.6);
- physical access to sensitive areas by onsite personnel must be controlled (Req 9.3);
- devices capturing payment card data must be protected from tampering and substitution (Req 9.9);
- a requirement to maintain information about which PCI DSS requirements are managed by third party service providers or entities. Service providers are required to provide a written agreement/acknowledgment of their responsibilities to customers (Req 12.8.5 and 12.9). This requirement is in addition to the existing EU requirement for data controllers to have a written agreement in place with their data processors and will include setting out the responsibilities of each party in meeting the PCI DSS requirements.
New requirements introduced in version 3.0 of PA-DSS include:
- payment application developers are required to verify the integrity of source code during the development process (Req 5.1.5);
- payment application vendors must incorporate risk assessment techniques into their software development process (Req 5.5);
- vendors with remote access to customer premises must use unique authentication credentials for each customer (Req 10.2.2); and
- information security and standards training must be provided to vendor personnel at least annually (Req 14.1).
Although there is a long transition period, organisations should start preparing now by assessing their current security procedures and business processes against the new requirements and assessing the cost implications.