Web Hosts and Customers Prepare for Looming PCI DSS 3.0 Deadline

1 comment

The Payment Card Industry Data Security Standard version 3.0, the latest major update to the standard for handling payment card information, formally goes into effect starting Jan. 1, 2015.

While PCI DSS 3.0 is designed around making security a continual process rather than a once-a-year activity, organizations that have not already begun the transition to the new standard may be rushing to prepare for 2015 audits.

At the same time, there are many services available around PCI DSS 3.0 compliance. For instance, enterprise data security provider Vormetric and IT auditing firm Coalfire have collaborated on solutions for VMware environments to meet PCI DSS 3.0 requirements.

“[PCI DSS 3.0] has some 408 requirements – that’s 27 percent more rules than version 2,” Paul Ayers, Vormetric’s VP of the EMEA region, said in a statement. “Interestingly, revisions to this version have reinforced the criticality of robust encryption and key management. Section 3.5.2, for example, calls on businesses to store secret and private keys used to encrypt/decrypt cardholder data separately and/or within a secure cryptographic device.”

Many businesses will obviously be dealing with the changes PCI DSS 3.0 in unique ways, but managed web host WiredTree notes in a press statement that “web hosting clients and eCommerce retailers should be particularly focused on changes that mandate that cardholder data users explicitly document which controls are managed by vendors and infrastructure suppliers and which are their own responsibility.”

Over the past few months, Google Cloud Platform, Amazon Web Services, GoGrid, and many other cloud hosting platforms have announced they have been audited for PCI DSS 3.0 compliance.

With 2014 being a year of several high-profile data breaches, the latest PCI DSS validation version could help restore trust in the payment industry and ecommerce websites.

Some, however, argue that PCI DSS 3.0 doesn’t go far enough in terms of encouraging the use of chip-and-PIN credit cards over magnetic-stripe-based credit cards, as well as an updated penetration testing methodology that could stop customer data breaches from within another division of the organization.

According to Ayers, the latest stipulations have gone a long way to make PCI DSS no longer a simple “check box compliance activity,” but the goal is to have security permeate the entire organization.

“In this brave, new world where the tempo of data breach incidents perpetrated by hackers shows no sign of slowing and the risk to data can also come from a trusted insider, any business handling payment data and sensitive, personally identifiable data needs to put encryption with granular access control controls in place,” Ayers said.

Add Your Comments

  • (will not be published)

One Comment

  1. DoktorThomas™

    PCI DSS 3.0: More government regulation that will do nothing except increase the cost of goods while delivery nothing measurable in results, but will allow the fed.gov an unbridled opportunity to inspect companies from inside (since everyone in the fed.gov is crooked they assume everyone everywhere is also crooked; they know they will catch you, but you can't catch them because they have qualified immunity from felonies ...). Each new government regulation puts the The Nation one step closer to Communism and government oppression. Historically, in a free marketplace (which we do not have because of gOVERnment meddling) the courts were the remedy for bad business practices, not some baseless useless government regulation. The USSA [sic] is a government of laws. not people as it used to be. You elected them; it is your fault. ©2014 DoktorThomas™. All rights reserved. This material may not be used, published, broadcast, rewritten, paraphrased, forwarded, nor redistributed without written permission. All statutory use exemptions/exceptions specifically revoked by author. Protected by Amendment, Federal law and international treaty. For educational use only--not intended as legal, medical, accounting, tax, financial or other advice; for readers to use as such violates TOS and may entail imposition of financial penalty and other sanctions. Limited license granted for this one exclusive use on thewhir.com.