New PCI DSS Version 3.0 mandated

On January 2015, version 3.0 of the Payment Card Industry Data Security Standard (PCI DSS) came into effect, says Simeon Tassev, MD and QSA at Galix.

The changes are progressive and the guidance reflects the changing business environment, increasing protection against emerging new threats. Among the new areas of focus are: mandated data flow mapping, additional guidance on mobile security, and the introduction of security controls for companies trading online.

PCI DSS 3.0 will enforce almost 100 changes to version 2.0. Understanding the changes, how they must be implemented and how they will impact the organisation will help ensure a successful audit, and optimise payment card security.

PCI DSS is a standard put in place by major card issuers – American Express, Visa, MasterCard, Discover and JCB – to govern the use and security of sensitive credit card information. Certification is essential for organisations handling a certain number of credit card transactions, and an annual audit is required to ensure ongoing compliance. For organisations handling smaller volumes of transactions, a self-assessment can be done. However, the PCI DSS standard must be applied by all. A new version of PCI DSS is released every three years with a formal procedure governing the adaptation of existing standards, the introduction of new requirements and the adoption of the new version of the standard.

While PCI DSS v3.0 was published in November 2013, this is the first year that application of this standard will be mandated. Therefore, what can users expect?

The six main principles and 12 requirements remain the same, with some minor sub-requirement changes and 74 clarifications. There are five new official guidance’s, and 19 evolving requirements.

The biggest change, however, is that v3.0 makes the business itself responsible for compliance with all 12 requirements, regardless of whether it has outsourced payment to a third party. This means that the business now has to be 100% sure that its payment provider is not just PCI DSS aligned but compliant with all 12 requirements – or face regulatory fines. The clarification notes that all applications that store, process, or transmit cardholder data are in scope for an entity’s PCI DSS assessment, even if they are Payment Application Data Security Standard (PA-DSS) validated. PA-DSS is a data standard for software vendors that develop payment applications.

Some of the other main changes include the following:
* The Reports on Compliance (ROC) reporting templates used by Qualified Security Assessors (QSAs) for assessments have changed.
* For organisations doing self-assessments, there are now different versions of the self-assessment to select from depending on the company’s business model – i.e., digital services or e-commerce.
* New supplements provide guidelines for specific controls, such as mobile payments, ATM security and e-commerce.
* Guidance on scoping, segmentation and sampling, security and vulnerability scans (e.g., new penetration tests are required on every segment that holds data).

There are a number of improvements with version 3.0. Evolving requirements stipulate the following:
* A network diagram must be included along with a current diagram that shows cardholder data flows.
* An inventory of the credit card hardware in the environment is required.
* The organisation must ensure that anti-virus solutions are actively running, and cannot be disabled or altered by users unless specifically authorised by management on a per-case basis.
* Evolving malware threats must be evaluated for any systems not considered to be commonly affected by malicious software.
* There are new requirements to protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution – e.g. storage of additional information on the device chip can lead to breaches.
* Service providers, such as companies hosting a payment solution, must now enter into a detailed agreement specifying their responsibilities – e.g., who is responsible for securing the physical environment.

PCI DSS v3.0 adds much in the way of greater awareness around security and risk to the commercial sector. It clarifies many of the requirements, makes compliance a shared responsibility, introduces requirements that compel merchants to train staff around potential security threats such as tampering, and ensuring new channels and devices, specifically mobile devices, are secured.

As the commercial environment becomes increasingly digital, the threat of security breaches continues to grow. Implementing PCI DSS v3.0 will enhance the safety of data, of the business and of consumers.