Wednesday, November 6, 2013

On the Eve of PCI DSS v3.0 - About

Here is a summary of information about the new standard, which will be released tomorrow.

What do we know about PCI DSS v3.0?

  • Release date is November 7, 2013
  • Becomes effective on January 1, 2014
  • Version 2.0 remains in effect until December 31, 2014 to provide a transition period
  • Version 3.0 introduces more changes than Version 2.0
  • There will be several new sub-requirements
  • Some of the sub-requirements will become effective on July 1, 2015. They will be best practices until then
  • Not all documents will be released on November 7. These will be available in 2014:
    • Revised SAQs
    • New SAQ for web-redirection payment environments
      • Announced at the North American Community Meeting
    • ROC reporting template
    • ROC reporting instructions
    • New AOCs
    • Prioritized Approach to PCI DSS Compliance

What factors have influenced the changes in PCI DSS v3.0?

  • Criminals are still targeting cardholder data
  • Many security breaches are tied to:
    • Lack of payment security awareness and education
    • Malware
    • Weak passwords and authentication
    • Slow self-detection
    • Poor implementation of the PCI Standards
    • Security issues with third-party providers
    • Lack of maintenance to ensure compliance between assessments
    • Inconsistent assessments

What will PCI DSS v3.0 do?

  • Focus more on higher risk areas
  • Clarify many of the requirements
  • Help to improve understanding of the intent of the requirements
  • Add flexibility to implementation
  • Help improve consistency of assessments with more stringent assessment procedures
  • Evolve with changing best practices, as well as risks and threats

What are the major themes in PCI DSS v3.0?

  • Encourage proactive approaches that focus on security rather than compliance
  • Make PCI DSS “business-as-usual”.
  • Increase awareness and education
  • Increase flexibility to allow better security
  • Security as a shared responsibility

What kinds of changes are included in PCI DSS v3.0?

  • Clarification – Concise wording to ensure that each requirement matches the desired intent
  • Additional Guidance – To increase understanding
  • Evolving Requirement – Keep standards up-to-date with market changes and emerging threats


No comments:

Post a Comment