By Katie W. Johnson
Nov. 8 --Organizations that are affected by the Payment Card Industry
Security Standards Council's standards should use the recent release of version
3.0 of two security standards as an opportunity to bring their practices into
compliance, Amy S. Mushahwar, of counsel at Ballard Spahr LLP, in Washington,
told Bloomberg BNA Nov. 8.
Companies that are unaware of the standards
“could be walking into a rat's nest,” she said.
The council is a global
forum that develops payment card security standards, including the Payment Card
Industry Data Security Standard (PCI DSS) and the Payment Application-Data
Security Standard (PA-DSS). The council Nov. 7 released version 3.0 of both
The self-regulatory PCI DSS requires companies handling card
transactions to maintain certain data security measures or face fines and/or
the cutoff of their ability to process cards. The purpose of the PA-DSS is to
assist software vendors in the development of secure payment applications.
Laura Johnson, spokeswoman for the council, told Bloomberg BNA Nov. 7 that
the updated versions of both the PCI DSS and PA-DSS will take effect Jan. 1,
2014. Version 2.0 will remain active until Dec. 31, 2014, to give companies
time to adapt to the changes, according to a Nov. 7 statement by the
Mushahwar said the
biggest mistake companies make is thinking that they are PCI DSS-compliant if
they have PA-DSS-compliant software. Even if companies have PA-DSS-compliant
software, they still must review their “card-processing infrastructure and data
flow” to ensure they are compliant with the PCI DSS, she said.
updates to the PCI DSS focus primarily on security risks resulting from (1)
third-party vendors and (2) malware, botnets and viruses, Mushahwar said. Many
data breaches result from gaps between merchants and vendors, as well as
malware, botnets and viruses, she said.
Mushahwar said companies, and in
particular small businesses, need to get around their fear of the PCI DSS.
Organizations need to ensure that someone within the organization is
responsible for compliance with the standard, she said.
the next frontier for changes to the council's standards will be in the area of
mobile devices. A significant amount of credit card processing occurs over
mobile devices, she said. The standards are updated every three years, she
The council released the last version of the PCI DSS in 2010
. It shared proposed changes for version 3.0 in August .
“Version 3.0 will help organizations make payment security
part of their business-as-usual activities by introducing more flexibility, and
an increased focus on education, awareness and security as a shared
responsibility,” the council said in its statement.
Increasing the level
of education and awareness of payment card security is necessary because
employees are “directly involved in the payment chain” and can “leave the door
open for attacks,” according to a council infographic
on PCI DSS 3.0. New requirements that address this issue include user password
education and point-of-sale security training, the council said.
Outsourcing information technology operations to a third party can result in
security risks, according to the infographic. The council said “63 percent of
investigations identifying a security deficiency easily exploited by hackers
revealed a third party responsible for system support, development, or
maintenance.” To address this risk, version 3.0 of the PCI DSS contains
guidance on outsourcing responsibilities under the standard and sets forth the
standard's responsibilities for service providers.
An example of a new
PCI DSS provision that allows for greater flexibility is a provision that
permits an organization to implement the password strength that is appropriate
for its security strategy, according to the council.
The council said
updates to the PA-DSS include, among other items, a requirement that payment
application developers develop payment applications according to industry best
practices and a requirement that payment application vendors utilize risk
assessment techniques during the software development process.
To contact the reporter on this story: Katie W. Johnson in Washington at firstname.lastname@example.org
To contact the editor
responsible for this story: Donald G. Aplin at email@example.com
of the PCI DSS, version 3.0 of the PA-DSS and summaries of changes are
available, after registration, at https://www.pcisecuritystandards.org/security_standards/documents.php.
To view additional stories from Privacy & Data Security Law
Resource Center™ register for a free trial now