PCI Security Standards Council Issues New Security Requirements and Guidance | Practical Law

PCI Security Standards Council Issues New Security Requirements and Guidance | Practical Law

The Payment Card Industry Security Standards Council (PCI SSC) released version 3.0 of the PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS). The PCI DSS and PA-DSS add new security requirements and guidance for payment-card industry organizations.

PCI Security Standards Council Issues New Security Requirements and Guidance

Practical Law Legal Update 5-548-5805 (Approx. 4 pages)

PCI Security Standards Council Issues New Security Requirements and Guidance

by Practical Law Intellectual Property & Technology
Published on 11 Nov 2013USA (National/Federal)
The Payment Card Industry Security Standards Council (PCI SSC) released version 3.0 of the PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS). The PCI DSS and PA-DSS add new security requirements and guidance for payment-card industry organizations.
On November 8, 2013, the Payment Card Industry Security Standards Council (PCI SSC) released version 3.0 of the PCI Data Security Standard Requirements and Security Assessment Procedures (PCI DSS). The new version features new security requirements and guidance for payment-card industry organizations, which include all entities that store, process or transmit cardholder data and/or sensitive authentication data. The changes provide clarification, additional guidance or changes to requirements to keep up with new data security threats and industry changes. A summary of changes from PCI DSS 2.0, which was released in October 2010, and PCI DSS 3.0 is available here.
PCI DSS 3.0 will go into effect on January 1, 2014, but organizations have until December 31, 2014 to transition from PCI DSS 2.0. In addition, certain of the new security requirements will have the status of best practices until June 30, 2015.
Supporting documentation including updated Self-Assessment Questionnaires (SAQ), Attestations of Compliance (AOC) and Reporting Templates will be available in early 2014 once version 3.0 is effective.

PCI DSS Requirements and Security Assessment Framework

PCI DSS was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS is only a minimum set of requirements and entities may enhance its controls and practices as needed. It also does not supersede any legal requirements.
PCI DSS is organized under the following 12 high-level security requirements:
  • Install and maintain a firewall configuration to protect cardholder data.
  • Do not use vendor-supplied defaults for system passwords and other security parameters.
  • Protect stored cardholder data.
  • Encrypt transmission of cardholder data across open, public networks.
  • Protect all systems against malware and regularly update anti-virus software or programs.
  • Develop and maintain secure systems and applications.
  • Restrict access to cardholder data by business need to know.
  • Identify and authenticate access to system components.
  • Restrict physical access to cardholder data.
  • Track and monitor all access to network resources and cardholder data.
  • Regularly test security systems and processes.
  • Maintain a policy that addresses information security for all personnel.
PCI DSS combines these 12 requirements and testing procedures into a security assessment tool. For each of the 12 high-level standards, detailed requirements and procedures are specified under these headings:
  • PCI DSS requirements.
  • Testing procedures to be followed by the assessor.
  • Guidance describing the intent or security objective behind the requirement.

New Requirements and Delayed Implementation

PCI SSC has highlighted that new requirements in version 3.0 focus on:
  • Increased education and awareness, including specific requirements for:
    • password education for users; and
    • point-of-sale security training and education.
  • Greater flexibility for organizations to choose their own security approach, including allowing organizations to:
    • elect the appropriate password security strength for their business; and
    • prioritize log reviews based on their own risk management strategy.
  • Security as a shared responsibility. In particular to address the security risks of using an outsourced third-party IT operations model, version 3.0 specifies new PCI DDS responsibilities for service providers.
However, some of the new security requirements will only have the status of best practices until they go into effect on June 30, 2015. These include requirements:
  • Relating to broken authentication and session management.
  • For service providers with remote access to customer premises to use a unique authentication credential (like a password/phrase) for each customer.
  • To implement protection of devices that capture payment card data via direct physical interaction with payment cards from tampering and substitution.
  • To implement a methodology for penetration testing with certain qualities like:
    • including testing from both inside and outside the network; and
    • specifying retention of penetration results and remediation activities results.
  • To maintain written agreements with service providers specifying they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes or transmits on behalf of the customer, or to the extent that they could impact the security of the customer's cardholder data environment.

Best Practices for Implementing PCI DSS into Business-as-Usual Processes

PCI DSS 3.0 also includes a set of best practices that both aim to:
  • Make PCI DSS implementation part of business-as-usual activities.
  • Ensure that organizations involved in payment card processing remain compliant between annual assessments.
These best practices do not extend or replace any PCI DSS requirements and are provided as recommendations and guidance only. They include:
  • Continuously monitoring firewalls, intrusion detection systems, antivirus products and access controls to ensure they operate as intended.
  • Ensuring that security control failures are detected and remediated in a timely manner.
  • Reviewing how planned changes to the environment (like the addition of new systems or modification of existing system and network configurations) impact the scope of PCI DSS and updating the security controls as needed.
  • Reviewing how organizational changes, like acquisitions or mergers, impact PCI DSS scope and requirements.
  • Periodically reviewing and communicating to confirm that PCI DSS requirements continue to be in place and personnel are following secure processes.
  • Review, at least annually, hardware and software technologies to confirm they continue to be supported by the vendor and can meet the entity's security requirements, including PCI DSS.