The PCI Security Standards Council, an open, global forum for the development of payment card security standards, has published version 3.0 of the PCI Data Security Standard and the Payment Application Data Security Standard. The new standards and a detailed summary of changes from version 2.0 to version 3.0 are available at the PCI SSC website.

Version 3.0 becomes effective on Jan.1, 2014. However, version 2.0 will remain active until Dec. 31, 2014, to allow time for organizations to make the transition.

Version 3.0 will help organizations make payment security part of their business-as-usual activities by introducing more flexibility and an increased focus on education, awareness and security as a shared responsibility, according to a news release from the PCI SSC.

"The core principles at work when we first published PCI DSS are still relevant today,” said PCI SSC general manager Bob Russo. “Version 3.0 builds on these to address the feedback we’ve heard from our community and to help organizations make payment security good business practice — every day, all year round."

New requirements include:

PCI DSS

  • Req. 5.1.2 — evaluate evolving malware threats for any systems not considered to be commonly affected
  • Req. 8.2.3 — combined minimum password complexity and strength requirements into one, and increased flexibility for alternatives
  • Req. 8.5.1 — for service providers with remote access to customer premises, use unique authentication credentials for each customer*
  • Req. 8.6 — where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.) these must be linked to an individual account and ensure only the intended user can gain access
  • Req. 9.3 — control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination
  • Req. 9.9 — protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution*
  • Req. 11.3 and 11.3.4 — implement a methodology for penetration testing; if segmentation is used to isolate the cardholder data environment from other networks, perform penetration tests to verify that the segmentation methods are operational and effective*
  • Req. 11.5.1 — implement a process to respond to any alerts generated by the change-detection mechanism
  • Req. 12.8.5 — maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity
  • Req. 12.9 — for service providers, provide the written, agreement/acknowledgment to their customers as specified at requirement 12.8.2*

*Indicates future dated requirements that are best practices until July 1, 2015.

PA-DSS

  • Req. 5.1.5 — payment application developers to verify integrity of source code during the development process
  • Req. 5.1.6 — payment applications to be developed according to industry best practices for secure coding techniques
  • Req. 5.4 — payment application vendors to incorporate versioning methodology for each payment application
  • Req. 5.5 — payment application vendors to incorporate risk assessment techniques into their software development process
  • Req. 7.3 — application vendor to provide release notes for all application updates
  • Req. 10.2.2 — vendors with remote access to customer premises (for example, to provide support/maintenance services) use unique authentication credentials for each customer
  • Req. 14.1 — provide information security and PA-DSS training for vendor personnel with PA-DSS responsibility at least annually

Supporting documentation, including updated self-assessment questionnaires, attestations of compliance and reporting templates, will be available in early 2014 once version 3.0 is effective.

Read more about PCI compliance

Related Content

User Comments – Give us your opinion!
Products & Services

Social Security Number (SSN) Verification

http://global.networldalliance.com/new/images/products/SSN_employmentsearch.gif

1426/Social-Security-Number-SSN-Verification

Javarama coffee

http://global.networldalliance.com/new/images/products/6961.png

6961/Javarama-coffee

AquaCafe

http://global.networldalliance.com/new/images/products/6965.png

6965/AquaCafe

Free Menu Board Media Player Promotion

http://global.networldalliance.com/new/images/products/6675.png

6675/Free-Menu-Board-Media-Player-Promotion

Group Purchasing Services

http://global.networldalliance.com/new/images/products/6403.png

6403/Group-Purchasing-Services

Facebook Ordering

http://global.networldalliance.com/new/images/products/5935.png

5935/Facebook-Ordering

Enterprise Reporting & Management

http://global.networldalliance.com/new/images/products/6813.png

6813/Enterprise-Reporting-Management

PCI Compliance Managed Network Services

http://global.networldalliance.com/new/images/products/4123.png

4123/PCI-Compliance-Managed-Network-Services

Get more from your restaurant POS with online videos and tutorials

http://global.networldalliance.com/new/images/products/1294.png

1294/Get-more-from-your-restaurant-POS-with-online-videos-and-tutorials

Distribution RFP’s & RFQ’s

http://global.networldalliance.com/new/images/products/6411.png

6411/Distribution-RFP-s-RFQ-s

Digital Menu Boards and ROI
Request Information From Suppliers
Save time looking for suppliers. Complete this form to submit a Request for Information to our entire network of partners.