The PCI Security Standards Council released version 3.0 of the PCI Data Security Standard (PCI DSS) and corresponding Payment Application Data Security Standard (PA-DSS), adding new security requirements and guidance for payment-card industry organizations, including merchants, payment processors, financial institutions and service providers.
The new version will go into effect on Jan. 1, but organizations will have until Dec. 31, 2014, to make the transition from PCI DSS 2.0. In addition, some of the new security requirements will have the status of best practices until June 30, 2015.
The effectiveness of the PCI DSS, whose primary goal is to help organizations secure cardholder data, is disputed in the security community. That's partly because there have been many cases of merchants and payment processors that suffered significant cardholder data breaches despite having passed PCI DSS compliance assessments.
The PCI Security Standards Council recognized this problem and included a set of best practices in the new version of the standard that aims to make PCI DSS implementation part of business-as-usual activities and ensure that organizations involved in payment card processing remain compliant between annual assessments.
These practices include the continuous monitoring of firewalls, intrusion detection systems, antivirus products and access controls to ensure they operate as intended; ensuring that security control failures are detected and remediated in a timely manner; reviewing how planned changes to the environment like the addition of new systems or modification of existing system and network configurations impact the scope of PCI DSS and updating the security controls as needed; reviewing how organizational changes like acquisitions or mergers impact the PCI DSS scope; reviewing at least once a year if used hardware and software technologies are still supported by their vendors; and implementing separation of duties for personnel in charge of security and those responsible for operations so that no single individual has control over an entire process without independent checks.
"Periodic reviews and communications should be performed to confirm that PCI DSS requirements continue to be in place and personnel are following secure processes," the standard says. "These periodic reviews should cover all facilities and locations, including retail outlets, data centers, etc., and include reviewing system components (or samples of system components), to verify that PCI DSS requirements continue to be in place--for example, configuration standards have been applied, patches and AV are up to date, audit logs are being reviewed, and so on."
While welcome, these recommendations don't extend or replace existing PCI DSS requirements, so organizations are not actually required to follow them in order to achieve PCI DSS compliance.
This continuous monitoring and review of PCI DSS security controls as part of business-as-usual activities should be a requirement today, because that's the only way to achieve good security, said Steve Hall, director of PCI solutions at security firm Tripwire. Hall believes that the presence of these best practices in PCI DSS 3.0 is laying the groundwork for requirements in future versions of the standard.
Sign up for CIO Asia eNewsletters.