The Payment Card Industry Data Security Standard version 3.0, the latest major update to the standard for handling payment card information, formally goes into effect starting Jan. 1, 2015.
While PCI DSS 3.0 is designed around making security a continual process rather than a once-a-year activity, organizations that have not already begun the transition to the new standard may be rushing to prepare for 2015 audits.
At the same time, there are many services available around PCI DSS 3.0 compliance. For instance, enterprise data security provider Vormetric and IT auditing firm Coalfire have collaborated on solutions for VMware environments to meet PCI DSS 3.0 requirements.
“[PCI DSS 3.0] has some 408 requirements – that’s 27 percent more rules than version 2,” Paul Ayers, Vormetric’s VP of the EMEA region, said in a statement. “Interestingly, revisions to this version have reinforced the criticality of robust encryption and key management. Section 3.5.2, for example, calls on businesses to store secret and private keys used to encrypt/decrypt cardholder data separately and/or within a secure cryptographic device.”
Many businesses will obviously be dealing with the changes PCI DSS 3.0 in unique ways, but managed web host WiredTree notes in a press statement that “web hosting clients and eCommerce retailers should be particularly focused on changes that mandate that cardholder data users explicitly document which controls are managed by vendors and infrastructure suppliers and which are their own responsibility.”
With 2014 being a year of several high-profile data breaches, the latest PCI DSS validation version could help restore trust in the payment industry and ecommerce websites.
Some, however, argue that PCI DSS 3.0 doesn’t go far enough in terms of encouraging the use of chip-and-PIN credit cards over magnetic-stripe-based credit cards, as well as an updated penetration testing methodology that could stop customer data breaches from within another division of the organization.
According to Ayers, the latest stipulations have gone a long way to make PCI DSS no longer a simple “check box compliance activity,” but the goal is to have security permeate the entire organization.
“In this brave, new world where the tempo of data breach incidents perpetrated by hackers shows no sign of slowing and the risk to data can also come from a trusted insider, any business handling payment data and sensitive, personally identifiable data needs to put encryption with granular access control controls in place,” Ayers said.