PCI Data Security Standard Version 3.0 – Breakdown of Changes to Anticipate

By: Gene Geiger, Partner of A-LIGN

Following the 36 month lifecycle the PCI Security Standards Council (“Council”) has established for the published standards, Version 3.0 of the PCI Data Security Standard is in the final stages before it will be released on November 7, 2013.

Through several webinars and documents provided to stakeholders, the Council has provided information on the final draft in order to receive feedback at the 2013 Community that will be held in Las Vegas September 24 – 26.

The core twelve requirements remain the same, but after a review of the changes and guidance provided by the Council, the change to Version 3.0 is more comprehensive than we experienced with previous version changes. However, due to the impact of these changes and the time it may take to fully comply with the requirements of Version 3.0, Version 2.0 may be used for assessment until December 31, 2014. Nonetheless, the Council encourages adoption of Version 3.0 as soon as practical.

As communicated by the Council, the changes planned for Version 3.0 are intended to better educate organizations that process, store, or transmit cardholder data, while strengthening awareness and responsibility with principles that can be applied to each organizations unique environment.

Key Themes

Education and Awareness

Users continue to be a target of attacks and need to understand their security roles and responsibilities, as they are a core part of the security of payment card data.

Version 3.0 addresses the need for additional education and awareness by gearing the standards “towards helping organizations better understand the intent of requirements and how to properly implement and maintain controls across their business. Changes to PCI DSS and PA-DSS will help drive education and build awareness internally and with business partners and customers” (“PCI DSS and PA-DSS – Version 3.0 Change Highlights”).

Increased Flexibility

Technologies continue to immerge to strengthen organizations’ security.

The Council has recognized through Version 3.0 that there is not a “one-sized” solution when it comes to mitigating complex risks. Version 3.0 “will allow organizations to take a more “customized” approach when evaluating the more common areas of risk, such as passwords, malware, and self-detection. This change will increase the magnitude of testing procedures in order to validate proper implementation and maintenance” (“PCI DSS and PA-DSS – Version 3.0 Change Highlights”). However, this puts additional responsibility on the assessor to ensure the solution implemented by the organization does mitigate the risk.

Security as a Shared Responsibility

Outsourcing of information technology functions, including the use of Cloud technologies, increases the sharing of responsibilities related to the security of payment card data.

Version 3.0 addresses these shared responsibilities by focusing “on helping organizations understand their entities’ PCI DSS responsibilities when working with different business partners to ensure cardholder data security” (“PCI DSS and PA-DSS – Version 3.0 Change Highlights”).

A-LIGN continues to review the draft of Version 3.0 and will also attend the Community meeting next week, as they prepare to assist organizations in understanding and implementing the new changes.

PCI DSS and PA-DSS – Version 3.0 Change Highlights.” PCI Security Standards Council. n.p. August 2013.