The PCI Council will be releasing version 3.0 of its Data Security Standard and Payment Application Data Security Standard in November to take effect at the beginning of 2014. The council released a preview of the expected changes for the new version of the standards yesterday for PCI members.
The new version will address several areas of growing concern, says Bob Russo, the council’s general manager. “The biggest area to address with version 3.0 is to make PCI compliance more business-as-usual, so merchants don’t have to think about it,” he notes.
Many merchants approach the PCI security standards as a compliance issue and with a mentality of “I check the box and I’m done with it; I don’t have to worry about it anymore,” Russo observes.
Merchants and payments players need to approach PCI as a security issue rather than a compliance issue, and be constantly diligent about being up to date with the standards, he remarks.
This is particularly important as most of the security breaches that the council has observed are exploiting simple vulnerabilities that the standards already address, Russo says. “90% of the breaches are simple exploits -- someone didn’t change their default password or is using insecure remote access. The standard is already a good framework for dealing with all of these things,” he explains.
The new version of the standard will also take into account new and emerging technologies and threats, says Troy Leach, the council’s chief technology officer. For instance, as mobile payment acceptance is expected to increase over the next few years, the new version of the standard will emphasize awareness of how cardholder data has to be exposed during a transaction, and how to mitigate that risk, Leach explains.
With more businesses outsourcing IT needs to third party vendors, the standards will also underline the importance of understanding shared security responsibilities with those partners, Leach adds.
The preview of the new version of the standards is not final. Over the fall the council will discuss the proposed changes with its members during committee meetings, and will likely make some tweaks to the new version before it is made official in November, Bob Russo says.