Softpedia >News >Security >Security Fixes and Improvements
Softpedia Homepage   

PCI DSS and PA-DSS 3.0 Published by PCI Council

Here's an infographic that summarizes the changes in the latest version

Nov 8, 2013 17:21 GMT  ·  By
Changes in PCI DSS 3.0
   Changes in PCI DSS 3.0

The Payment Card Industry (PCI) Council has made available version 3.0 of the PCI Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA-DSS). Version 2.0 will still be valid until December 31, 2014, to give organizations enough time to make the transition.

PCI DSS and PA-DSS go into effect starting with January 1, 2014. The changes implemented in the latest variant are based on market needs and feedback from global constituents of the Council.

According to the PCI Council, version 3.0 will help organizations that process payments to make security part of their usual business activities. It’s more flexible and it puts more focus on awareness, education, and security as a shared responsibility.

“PCI Standards continue to provide a strong framework for payment card security,” commented Bob Russo, general manager at PCI SSC.

“The core principles at work when we first published PCI DSS are still relevant today. Version 3.0 builds on these to address the feedback we’ve heard from our community and to help organizations make payment security good business practice – every day, all year round.”

Here are some of the new requirements included in version 3 of the PCI DSS:

- evaluate evolving malware threats for any systems not considered to be commonly affected;

- combined minimum password complexity and strength requirements into one, and increased flexibility for alternatives;

- where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.) these must be linked to an individual account and ensure only the intended user can gain access;

- protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution;

- implement a methodology for penetration testing; if segmentation is used to isolate the cardholder data environment from other networks, perform penetration tests to verify that the segmentation methods are operational and effective.

The complete PIC DSS v3.0 is available on PCI’s website. Also, check out the infographic that summarizes the changes.