Nov. 8 --Organizations that are affected by the Payment Card Industry Security Standards Council's standards should use the recent release of version 3.0 of two security standards as an opportunity to bring their practices into compliance, Amy S. Mushahwar, of counsel at Ballard Spahr LLP, in Washington, told Bloomberg BNA Nov. 8.
Companies that are unaware of the standards “could be walking into a rat's nest,” she said.
The council is a global forum that develops payment card security standards, including the Payment Card Industry Data Security Standard (PCI DSS) and the Payment Application-Data Security Standard (PA-DSS). The council Nov. 7 released version 3.0 of both standards.
The self-regulatory PCI DSS requires companies handling card transactions to maintain certain data security measures or face fines and/or the cutoff of their ability to process cards. The purpose of the PA-DSS is to assist software vendors in the development of secure payment applications.
Laura Johnson, spokeswoman for the council, told Bloomberg BNA Nov. 7 that the updated versions of both the PCI DSS and PA-DSS will take effect Jan. 1, 2014. Version 2.0 will remain active until Dec. 31, 2014, to give companies time to adapt to the changes, according to a Nov. 7 statement by the council.
Mushahwar said the biggest mistake companies make is thinking that they are PCI DSS-compliant if they have PA-DSS-compliant software. Even if companies have PA-DSS-compliant software, they still must review their “card-processing infrastructure and data flow” to ensure they are compliant with the PCI DSS, she said.
The updates to the PCI DSS focus primarily on security risks resulting from (1) third-party vendors and (2) malware, botnets and viruses, Mushahwar said. Many data breaches result from gaps between merchants and vendors, as well as malware, botnets and viruses, she said.
Mushahwar said companies, and in particular small businesses, need to get around their fear of the PCI DSS. Organizations need to ensure that someone within the organization is responsible for compliance with the standard, she said.
Mushahwar said the next frontier for changes to the council's standards will be in the area of mobile devices. A significant amount of credit card processing occurs over mobile devices, she said. The standards are updated every three years, she explained.
The council released the last version of the PCI DSS in 2010 . It shared proposed changes for version 3.0 in August .
“Version 3.0 will help organizations make payment security part of their business-as-usual activities by introducing more flexibility, and an increased focus on education, awareness and security as a shared responsibility,” the council said in its statement.
Increasing the level of education and awareness of payment card security is necessary because employees are “directly involved in the payment chain” and can “leave the door open for attacks,” according to a council infographic on PCI DSS 3.0. New requirements that address this issue include user password education and point-of-sale security training, the council said.
Outsourcing information technology operations to a third party can result in security risks, according to the infographic. The council said “63 percent of investigations identifying a security deficiency easily exploited by hackers revealed a third party responsible for system support, development, or maintenance.” To address this risk, version 3.0 of the PCI DSS contains guidance on outsourcing responsibilities under the standard and sets forth the standard's responsibilities for service providers.
An example of a new PCI DSS provision that allows for greater flexibility is a provision that permits an organization to implement the password strength that is appropriate for its security strategy, according to the council.
The council said updates to the PA-DSS include, among other items, a requirement that payment application developers develop payment applications according to industry best practices and a requirement that payment application vendors utilize risk assessment techniques during the software development process.
To contact the reporter on this story: Katie W. Johnson in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Donald G. Aplin at email@example.com
Version 3.0 of the PCI DSS, version 3.0 of the PA-DSS and summaries of changes are available, after registration, at https://www.pcisecuritystandards.org/security_standards/documents.php.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).