Analysis: What’s PCI DSS V3.0 all about?

The latest version of PCI DSS is due for publication on 7 November, but what can merchants expect?

The latest version of the Payment Card Industry’s Data Security Standard (PCI DSS) is due for publication on 7 November, but what can merchants expect?

PCI DSS compliance is necessary for any organisation that handles customer payment card data and specifies how that information must be held and protected.

The good news is that the latest version of the standard does not appear to bring many new requirements for compliance.

Instead, version three is aimed at raising awareness of security issues around card payments, increasing understanding that security is a shared responsibility, and providing more flexibility for merchants in how they adopt the standard and introduce and use the requirements.

How has education been brought into version 3.0?

Although the chip and pin standard for smart card payments has been good in driving down face-to-face fraud, it has begun to creep up again in the past year, said Jeremy King, European director of the PCI  Security Standards Council (PCI SSC), which administers the security standard.

“The criminals are still stealing [card payment] terminals and inserting malware and card skimmers into them,” he said.

In response, requirement 9 of version 3.0 of the PCI DSS has additional requirements for merchants to train staff around device security and to be able to identify and prevent terminal tampering.

“We have also seen a lot of security breaches because of poor password use or poor password security,” said King.

Version 3.0 consequently introduces additional requirements for training around passwords to help people in the retail industry realise why good security practices matter and how to choose and use good passwords.

“We are also allowing merchants to use pass phrases instead of a password to try and improve security, but at the same time make it easier to remember without sticking notes on to the computer screen,” said King.

In terms of the standard, version 3.0 includes several new sub-requirements for assessors to check the awareness of employees within an organisation and require merchants to produce records of security awareness training programmes.

What about security as a shared responsibility?

“Although PCI DSS involves a lot of IT and IT input, it is not only a job for the IT director. It does need the buy-in from everybody in the organisation,” said King.

“If we can get the C-level staff involved and understand that this is a change of mind set, that will help improve the overall security,” he said.

Merchants, especially those in e-commerce, are increasingly using the services of a third-party provider, and King said this can lead to a lack of understanding about who is responsible for what.

As a result, V3.0 of the PCI DSS has improved requirements around ensuring that when merchants use a third-party provider, they understand what they should expect in terms of security and what individual responsibilities are to help improve overall security of payment card data.

King said it is important to have a clear understanding of the responsibilities of the third-party provider and the merchant.

“Although the payment page is being hosted by the third-party, and the merchant should not have any card holder data coming into their system, we are still seeing instances where criminals target the interface between the merchant and third-party provider to get to the data,” he said.

How is version 3.0 more flexible from a merchant’s point of view?

More on PCI DSS

  • PCI DSS review: Assessing the PCI standard nine years later
  • Podcast: What’s new in PCI-DSS and PA-DSS version 3.0?
  • Using encryption technology to achieve PCI DSS compliance objectives
  • Understanding the PCI DSS prioritized approach to compliance
  • Can predefined DLP rules help prevent HIPAA and PCI DSS violations?
  • PCI DSS 3.0 preview highlights passwords, providers, payment data flow
  • PCI validation: Requirements for merchants covered by PCI DSS
  • Analysis: Inside the new PCI DSS risk assessment

The requirements have been improved, said King, to get away from PCI compliance being a tick box exercise to promoting understanding of the need to do proper risk assessments to help merchants prioritise what to tackle by identifying their own biggest risks and threats.

“There is increased flexibility, for example, in allowing merchants to use pass phrases instead of passwords, and in allowing merchant to choose – in the event of a breach – how they manage the review of system logs to identify where the criminal came in or where the criminal activity took place,” he said.

Where will merchants see the biggest changes from version 2.0 to version 3.0?

The evolution of the standard from one version to the next is gradual, so there are never any major adjustments to be made, said King.

“The demand has been for a lot more guidance and support in understanding the requirements, so in version 3.0 we have incorporated the previously separate guidance document into the requirements as an extra column to explain in more detail what is meant and required,” he said.

Tackling weak passwords and improving security practices with third-party suppliers, said King, are the areas that most organisations will have to pay more attention to as they work to comply with version 3.0.

Other challenging areas include the increased use of employee-owned devices in the workplace and new technology.

“Organisations have to understand what this means in terms of securing their environment,” he said.

Here, the changes in version 3.0 are aimed at ensuring that employee devices are segmented away from the card holder data environment.

“Mobile data and mobile commerce is another key area we are working on for future iterations of the standard,” said King.

For more than a year, the PCI SCC has had a task force working with relevant industry experts and organisations to understand how to secure mobile phones, particularly for accepting payments.

While there are no requirements around mobile commerce in version 3.0, if merchants are using a mobile phone to accept payments, that device is part of the card holder data environment and must meet the requirements of the PCI DSS.

Therefore, to help merchants and developers learn how to use mobile devices in a secure way, the PCI SCC has published separate guidance documents.

According to King, version 3.0 is up to date with the latest trends in attacks because it has been compiled with input from penetration testing suppliers.

Also, those suppliers now have a role to play in verifying that merchants have included all of their systems that touch payment card information.

“In the past we have allowed merchants to set the scope of their payment environment, but we have seen cases where payment information is on more systems than the merchant has declared,” said King.

By extending the range of penetration testing required, version 3.0 will mean more work, but that is going to be a positive in supporting what merchants claim in their submissions, he said.

The update is also aimed at providing support and guidance in areas that are perennial security risks such as SQL injection, weak passwords and slow detection of breaches.

Is version 3.0 clearer and easier to use?

“Having the guidance as part of the standard to explain each of the requirements will be a huge help in ensuring that merchants and assessors have the same understanding of what each requirement means, which is one of the key areas of improvement in version 3.0,” said King.

Most of the work in version 3.0, he said, was in looking at each requirement and how it could be reworded to make it easier to understand and implement, so little should come as a shock.

Above all, he said, organisations should aim to make PCI DSS as part of business as usual because the standard provides the best set of requirements and processes for protecting data.

Read more on Privacy and data protection