Latest version of PCI DSS reaches final stages

Around 500 global stakeholders are to meet this week to give the final community feedback on the next version of PCI DSS

Around 500 global stakeholders are to meet this week to give the final community feedback on the coming version 3.0 of the Payment Card Industry’s Data Security Standard (PCI DSS).

PCI DSS compliance is necessary for any organisation that handles customer payment card data and specifies how that information must be held and protected.

The PCI Security Standards Council (PCI SSC) administers the security regulations and is set to issue its regular update of the standard from  PCI DSS 2.0 in November 2013.

The annual PCI SSC European community meeting in Nice, France 29-31 October 2013, will be the last chance to comment on version 3.0 before publication on 7 November, said Jeremy King, the council’s European director.

“In an update year, the agenda at our community meetings in North America and Europe are tailored around the latest version of the standard,” King told Computer Weekly.

Even though publication of version 3.0 is just a week away, there are several sessions aimed at enabling members of the community to provide feedback.

Read more about PCI DSS

  • PCI DSS review: Assessing the PCI standard nine years later
  • Podcast: What’s new in PCI-DSS and PA-DSS version 3.0?
  • Using encryption technology to achieve PCI DSS compliance objectives
  • Understanding the PCI DSS prioritized approach to compliance
  • Can predefined DLP rules help prevent HIPAA and PCI DSS violations?
  • PCI DSS 3.0 preview highlights passwords, providers, payment data flow
  • PCI validation: Requirements for merchants covered by PCI DSS
  • Analysis: Inside the new PCI DSS risk assessment

“Although it is very late in the day and the standard has already gone through a lot of iterations and changes, any critical feedback will be incorporated into version 3.0 before publication,” said King.

“Whenever we are updating the standard, we work with the community to ensure there is maximum feedback.”

Commenting on the latest version of PCI DSS, King said it is aimed at making compliance with the standard part of “business as usual”.

To that end, the new version focuses on security training, helping people understand that security is a shared responsibility and giving merchants more flexibility in how they adopt the standard.

Other changes are aimed at ensuring card data security practices are updated to cope with new technologies and trends, such as bring your own device (BYOD) programmes in the workplace.

PCI DSS V3.0 goes into effect on 1 January 2014, but merchants who have not completed compliance with V2.0 will have until the end of 2014 to begin working on compliance with V3.0.

“Merchants have told us that, when they are three-quarters of the way through implementing one version of the standard, they can’t just stop and move to the next iteration,” said King.

They need time to complete the versions they are on before starting with the next one, which is why version 2.0 will remain active until December 2014, he said.

Read more on Hackers and cybercrime prevention