PCI Security Standards Council Releases New Versions of Two Security Standards

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Katie W. Johnson  

Nov. 8 --Organizations that are affected by the Payment Card Industry Security Standards Council's standards should use the recent release of version 3.0 of two security standards as an opportunity to bring their practices into compliance, Amy S. Mushahwar, of counsel at Ballard Spahr LLP, in Washington, told Bloomberg BNA Nov. 8.

Companies that are unaware of the standards “could be walking into a rat's nest,” she said.

The council is a global forum that develops payment card security standards, including the Payment Card Industry Data Security Standard (PCI DSS) and the Payment Application-Data Security Standard (PA-DSS). The council Nov. 7 released version 3.0 of both standards.

The self-regulatory PCI DSS requires companies handling card transactions to maintain certain data security measures or face fines and/or the cutoff of their ability to process cards. The purpose of the PA-DSS is to assist software vendors in the development of secure payment applications.

Laura Johnson, spokeswoman for the council, told Bloomberg BNA Nov. 7 that the updated versions of both the PCI DSS and PA-DSS will take effect Jan. 1, 2014. Version 2.0 will remain active until Dec. 31, 2014, to give companies time to adapt to the changes, according to a Nov. 7 statement by the council.

Focus on Third Parties, Malware

Mushahwar said the biggest mistake companies make is thinking that they are PCI DSS-compliant if they have PA-DSS-compliant software. Even if companies have PA-DSS-compliant software, they still must review their “card-processing infrastructure and data flow” to ensure they are compliant with the PCI DSS, she said.

The updates to the PCI DSS focus primarily on security risks resulting from (1) third-party vendors and (2) malware, botnets and viruses, Mushahwar said. Many data breaches result from gaps between merchants and vendors, as well as malware, botnets and viruses, she said.

Mushahwar said companies, and in particular small businesses, need to get around their fear of the PCI DSS. Organizations need to ensure that someone within the organization is responsible for compliance with the standard, she said.

Mushahwar said the next frontier for changes to the council's standards will be in the area of mobile devices. A significant amount of credit card processing occurs over mobile devices, she said. The standards are updated every three years, she explained.

The council released the last version of the PCI DSS in 2010 . It shared proposed changes for version 3.0 in August .

New Requirements

“Version 3.0 will help organizations make payment security part of their business-as-usual activities by introducing more flexibility, and an increased focus on education, awareness and security as a shared responsibility,” the council said in its statement.

Increasing the level of education and awareness of payment card security is necessary because employees are “directly involved in the payment chain” and can “leave the door open for attacks,” according to a council infographic on PCI DSS 3.0. New requirements that address this issue include user password education and point-of-sale security training, the council said.

Outsourcing information technology operations to a third party can result in security risks, according to the infographic. The council said “63 percent of investigations identifying a security deficiency easily exploited by hackers revealed a third party responsible for system support, development, or maintenance.” To address this risk, version 3.0 of the PCI DSS contains guidance on outsourcing responsibilities under the standard and sets forth the standard's responsibilities for service providers.

An example of a new PCI DSS provision that allows for greater flexibility is a provision that permits an organization to implement the password strength that is appropriate for its security strategy, according to the council.

The council said updates to the PA-DSS include, among other items, a requirement that payment application developers develop payment applications according to industry best practices and a requirement that payment application vendors utilize risk assessment techniques during the software development process.


To contact the reporter on this story: Katie W. Johnson in Washington at kjohnson@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

Version 3.0 of the PCI DSS, version 3.0 of the PA-DSS and summaries of changes are available, after registration, at https://www.pcisecuritystandards.org/security_standards/documents.php.

Request Bloomberg Law: Privacy & Data Security