While PCI DSS 3.0 adds a number of new requirements, some of them that could help prevent common attack methods used today won't go into effect until July 2015 and will be treated as "best practices" in the meantime.
For example, requirement 6.5.10 says that companies should examine their software development procedures to make sure that broken authentication and session management processes are addressed in their internal and external Web applications by flagging session cookies as "secure," by not exposing session IDs in URLs, and by incorporating time-outs and rotation of session IDs after successful authentication.
These are already common security practices for websites and have been for a while, so it's not clear why payment card organizations need a grace period of more than one year-and-a-half to implement them.
Another new requirement (8.5.1) says that service providers who have remote access to customer systems in order to provide technical support for point-of-sale systems or servers must use unique authentication credentials for each customer. This requirement will also go into effect in July 2015, despite the fact that there have already been many cases where PoS systems were compromised by attackers because their administrators used easy-to-guess passwords for remote access.
In an infographic accompanying the PCI DSS 3.0 release, the PCI Security Standards Council warned that many businesses outsource their IT operations and this can be a security risk. "Sixty-three percent of investigations identifying a security deficiency easily exploited by hackers revealed a third party responsible for system support, development, or maintenance," the council said.
The new version of the standard adds guidance on outsourcing PCI DSS responsibilities and includes a requirement -- 12.9 -- that says a service provider must "acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer's cardholder data environment." This requirement also comes with a grace period until July 2015.
The same situation applies for requirement 9.9.x, which says that companies must protect devices that interact physically with payment cards, like point-of-sale systems, from tampering and substitution: Companies should "periodically inspect device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device)."
There have been many cases in the past few years of attackers tampering with or completely replacing POS devices in stores and supermarkets to steal credit card data.
Another requirement that won't go into effect until July 2015 has to do with penetration testing strategies, which are generally important for any organizations that want to identify potential weaknesses in their infrastructure.
Sign up for CIO Asia eNewsletters.