By Sam Pfanstiel, Solutions Engineer, Bluefin
Bluefin was in attendance at the Payment Card Industry Security Standards Council (PCI) Community Meeting last week and we were able to get a sneak peek at some of the tentative specifications for their Data Security Standards (PCI-DSS) version 3.0. The final version is still forthcoming next month, but in the interest of helping our merchants and ISVs stay better prepared, we hope to provide you and your organization with an overview of what you can expect from these new requirements.
PCI DSS Lifecycle
Before I go into the changes coming with the new version of DSS, it is important to know how these changes will roll out. PCI uses a 3-year roll-out cycle for new security standards, such as the DSS 3.0. Once the new standard is announced this November, it won’t actually take effect until January 1, 2014 (this represents the first day of the new three year cycle). At that time, anyone can continue to certify under the DSS 2.0 for another year and remain compliant under the older standard until the last day of 2015 (the end of year two). Finally, on January 1, 2015 the old standard will no longer be acceptable for DSS certification, and all audits and self-assessment questionnaires must be filed using the new 3.0 standard.
During 2015 (year three of the cycle) Bluefin and other PCI participating members will contribute their feedback on the success and comprehensive nature of this standard in order to ensure that new threats and security issues are fully addressed. The council will then meet to discuss this feedback and add clarifications, additional guidance, and requirements before presenting a new set of DSS standards to be approved and implemented at the end of that year, starting the cycle all over again.
During this particular cycle, the PCI council has identified three predominant themes that have influenced the coming changes being presented:
The first is the growing need for better understanding of why it is important to secure cardholder data and the cardholder data environment. Many merchants see the PCI review process as a menial task to be checked off each year, rather than its intended purpose as an iterative and reflective review process. Furthermore, many of the individual requirements in 3.0 will go further to explain the intent of the controls, in hopes that this increased education will cause organizations to better ensure they are thoroughly integrated, thus avoiding costly data compromise. This focus primarily takes shape in more explanations of intent, as well as the change of general tone from “compliance” to one of “security”.
The second theme that surfaces throughout the changes is one of increased flexibility, but also more rigorous validation testing. While compensating controls already allowed organizations the ability to address challenges through alternative approaches, the new requirements will clearly outline these options (where appropriate) giving organizations the freedom to customize their approach, as long as the end result still meets the objective of the requirement.
The final recurring theme represents a growing recognition that most transaction environments today include numerous third-party integrations, and the responsibility of securing cardholder data is shared among each of the providers. The coming standard will provide better clarity on the interplay between the PCI-DSS and the PA-DSS in order to better account for how these applications and service providers affect a merchants’ PCI scope and compliance.
Next week, we will go into how these themes work together to affect the specific requirements, and what specific preparations your organization should do to prepare for the coming change.