The first big change for payments in 2015 took effect on January 1st when the deadline to meet PCI Data Security Standards (DSS) version 3.0 requirements passed. The Fraud Practice provides a quick overview of what has changed and what that means for organizations that must adhere to these standards.
The Payment Card Industry Data Security Standards (PCI-DSS) has outlined the minimum standards for processing and storing payment card information since 2001, but a lot has changed in the fraud and payments landscape since. The third version of these standards seeks to keep up with changes in risk and technology, and after being approved in December, 2013 PCI-DSS version 3.0 officially became a requirement on January 1, 2015.
The third version of the PCI Data Security Standards both expands on existing requirements and creates new ones. The number of PCI requirements increased by more than 25 percent from version 2.0 and there are now 408 requirements in total. This includes documenting more procedures around fulfilling requirements, more clearly defining PCI responsibilities in vendor contracts, enhanced penetration testing and maintaining more of a year-round approach to data security rather than a once-a-year, check-the-box mentality.
In version 2.0 there were a couple of sub-requirements under section 12 of the PCI-DSS that required organizations to document operational security procedures outlining how the PCI guidelines are implemented and enforced. This has been vastly expanded in version 3.0 as similar policy and procedure documentation requirements were added to the remaining 11 PCI-DSS sections. Now organizations must have documented procedures on how they assess compliance with many more PCI requirements, and stakeholders in the organization need to be familiar with these procedures.
Merchants often outsource many of their PCI responsibilities to vendors, and PCI-DSS 3.0 calls for a more clear understanding of who owns what responsibilities. The new version calls for required written agreements between Cloud Service Providers and their customers explicitly citing the responsibilities for maintaining PCI compliance. While there were looser requirements around this in the previous version, 3.0 requires specific documentation of the vendors commitments at the contract level.
Likely the most costly updates coming into effect under PCI-DSS are centered on penetration testing. Penetration testing has always been a requirement, but now there is a lot more detail and requirements around the methodology. It’s not enough to perform basic scans and call it penetration testing, rather organizations have to prove that the systems are adequate, and cardholder data is segmented from other data the organizations has to prove that segmentation is adequate. Requirements around penetration testing do not take effect until July, so organizations validating compliance before July 1 will not be required to meet these new standards.
For more information:
Comments