The Payment Card Industry Security Standards Council (PCI SSC) published Version 3.0 of the Data Security Standard for securing payments data last week. The new standards aim to help merchants in dealing with security problems in an evolving payments landscape, according to Troy Leach, CTO of PCI SCC.
“Overall, we try to create these standards to be incorporated throughout the development of new systems, throughout the lifecycle of all the technology and processes they use,” Leach noted. “What we’ve seen from market research is that those organizations, that culturally incorporate security throughout their lifecycle of products, actually minimize the cost of assessments and in audits.”
The standards promote minimizing cardholder data footprint by incorporating measures like point-to-point encryption, a protocol for encrypting payment data as it transfers through networks, Leach said.
“If we can minimize where cardholder data is needed to be stored, processed and transmitted, then we can focus all the security concerns and controls on smaller area of systems and networks,” Leach commented.
“The approach is that we can make the standards more user friendly, which we have [done] by increasing the education and awareness in the community,” added Bob Russo, general manager at PCI SSC.
The standards have been adjusted to make them more flexible for merchants using different payments methods, according to Russo. The new version of the standards also emphasizes the need for shared responsibility in payments security among all of the players involved in a transaction, he added.
“A lot of companies are outsourcing their payment data to payment processors and thinking that their obligation is done because they’ve outsourced it to someone who tells them that they’re PCI compliant. That is not the case,” Russo commented.
The standards latest version will help merchants be more involved in compliance and security throughout the year, rather than only being concerned with compliance when an audit is coming up, Leach explained.