Risk

8/15/2013
05:38 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

PCI DSS 3.0 Change Highlights

Version 3.0 to focus on flexibility, education and awareness, and security as a shared responsibility

WAKEFIELD, Mass., 15 August 2013 -- Today the PCI Security Standards Council (PCI SSC), an open, global forum for the development of payment card security standards published PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) 3.0 Change Highlights as a preview of the new version of the standards coming in November 2013. The changes will help companies make PCI DSS part of their business-as-usual activities by introducing more flexibility, and an increased focus on education, awareness and security as a shared responsibility.

The seven-page document is part of the Council's commitment to provide as much information as possible during the development process and eliminate any perceived surprises for organizations in their PCI security planning. Specifically, the summary will help PCI Participating Organizations and the assessment community as they prepare to review and discuss draft versions of the standards at the 2013 Community Meetings in September and October.

Changes to the standards are made based on feedback from the Council's global constituents per the PCI DSS and PA-DSS development lifecycle and in response to market needs. Key drivers for version 3.0 updates include: lack of education and awareness; weak passwords and authentication challenges; third party security challenges; slow self-detection in response to malware and other threats; inconsistency in assessments.

"Today, most organizations have a good understanding of PCI DSS and its importance in securing card data, but implementation and maintenance remains a struggle – especially in light of increasingly complex business and technology environments," said Bob Russo, PCI SSC general manager. "The challenge for us now is providing the right balance of flexibility, rigor and consistency within the standards to help organizations make payment security business-as-usual. And that's the focus of the changes we're making with version 3.0."

Based on feedback from the industry, in 2010 the Council moved from a two-year to a three-year standards development lifecycle. The additional year provides a longer period to gather feedback and more time for organizations to implement changes before a new version is released. Version 3.0 will introduce more changes than version 2.0, with several new sub-requirements. Proposed updates include:

· Recommendations on making PCI DSS business-as-usual and best practices for maintaining ongoing PCI DSS compliance

· Security policy and operational procedures built into each requirement

· Guidance for all requirements with content from Navigating PCI DSS Guide

· Increased flexibility and education around password strength and complexity

· New requirements for point-of-sale terminal security

· More robust requirements for penetration testing and validating segmentation

· Considerations for cardholder data in memory

· Enhanced testing procedures to clarify the level of validation expected for each requirement

· Expanded software development lifecycle security requirements for PA-DSS application vendors, including threat modeling

Note that these updates are still under review by the PCI community. Final changes will be determined after the PCI Community Meetings and incorporated into the final versions of the PCI DSS and PA-DSS published in November.

The change highlights document with tables outlining anticipated updates is available on the PCI SSC website: https://www.pcisecuritystandards.org/security_standards/documents.php

The Council will host a webinar series for the PCI community and the general public to outline the proposed changes. To register, visit: https://www.pcisecuritystandards.org/training/webinars.php

"PCI DSS and PA-DSS 3.0 will provide organizations the framework for assessing the risk involved with technologies and platforms and the flexibility to apply these principles to their unique payment and business environments, such as e-commerce, mobile acceptance or cloud computing," added Troy Leach, PCI SSC chief technology officer.

PCI DSS and PA-DSS 3.0 will be published on 7 November 2013. The standards become effective 1 January 2014, but to ensure adequate time for the transition, version 2.0 will remain active until 31 December 2014.

For more information and to register for the 2013 Community Meetings, please visit: https://www.pcisecuritystandards.org/communitymeeting/2013/

About the PCI Security Standards Council

The PCI Security Standards Council is an open global forum that is responsible for the development, management, education, and awareness of the PCI Data Security Standard (PCI DSS) and other standards that increase payment data security. Founded in 2006 by the major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., the Council has more than 650 Participating Organizations representing merchants, banks, processors and vendors worldwide. To learn more about playing a part in securing payment card data globally, please visit: pcisecuritystandards.org.

Connect with the PCI Council on LinkedIn: http://www.linkedin.com/company/pci-security-standards-council

Join the conversation on Twitter: http://twitter.com/#!/PCISSC

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft President: Governments Must Cooperate on Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
Why the CISSP Remains Relevant to Cybersecurity After 28 Years
Steven Paul Romero, SANS Instructor and Sr. SCADA Network Engineer, Chevron,  11/6/2018
5 Reasons Why Threat Intelligence Doesn't Work
Jonathan Zhang, CEO/Founder of WhoisXML API and TIP,  11/7/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-1786
PUBLISHED: 2018-11-12
IBM Spectrum Protect 7.1 and 8.1 dsmc and dsmcad processes incorrectly accumulate TCP/IP sockets in a CLOSE_WAIT state. This can cause TCP/IP resource leakage and may result in a denial of service. IBM X-Force ID: 148871.
CVE-2018-1798
PUBLISHED: 2018-11-12
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force...
CVE-2018-1884
PUBLISHED: 2018-11-12
IBM Case Manager 5.2.0.0, 5.2.0.4, 5.2.1.0, 5.2.1.7, 5.3.0.0, and 5.3.3.0 is vulnerabile to a "zip slip" vulnerability which could allow a remote attacker to execute code using directory traversal techniques. IBM X-Force ID: 151970.
CVE-2018-19203
PUBLISHED: 2018-11-12
PRTG Network Monitor before 18.2.41.1652 allows remote unauthenticated attackers to terminate the PRTG Core Server Service via a special HTTP request.
CVE-2018-19204
PUBLISHED: 2018-11-12
PRTG Network Monitor before 18.3.44.2054 allows a remote authenticated attacker (with read-write privileges) to execute arbitrary code and OS commands with system privileges. When creating an HTTP Advanced Sensor, the user's input in the POST parameter 'proxyport_' is mishandled. The attacker can cr...