PCI Compliance Guidelines 3.0 Released
By Sam Lewis
New standards move organizations to shared responsibility of card payment security
Version 3.0 of the Data Security Standard (DSS) for securing payments has been published by the Payment Card Industry Security Standards Council (PCI SSC). The latest version of the standards are focused on helping merchants deal with problems in security as the ways consumers pay for goods continues to evolve.
The new standards encourage minimizing the cardholder data footprint by including processes like point-to-point encryption — a protocol for encrypting data while it transfers networks. “If we can minimize where cardholder data is needed to be stored, processed, and transmitted, then we can focus all the security concerns and controls on a smaller area of systems and networks,” says Troy Leach, CTO of PCI SCC.
The new adjustments to the standards make them more flexible for merchants using varied payment methods. Also emphasized in the new version is the need for shared payment security responsibility of all participants involved in a card transaction. “A lot of companies are outsourcing their payment data to payment processors and thinking that their obligation is done, because they’ve outsourced it to someone who tells them that they’re PCI compliant. That is not the case,” says Bob Russo, GM of PCI SSC. The latest edition of the standards will help merchants be more involved in compliance and security at all times, opposed to only being concerned with compliance in upcoming audits.
The standards are updated every three years, with the revisions being based on feedback from the council’s global members and in response to the needs of a changing market. While the standards of version 3.0 have been published to PCI SSC’s website, version 2.0 will remain in effect until Dec 31. This will allow adequate time for the agency to adjust to the transition in standards. Additionally, some of the new standards will keep the status of best practices until June 30, 2015.
The updates aim to make DSS a part of everyday business processes while maintaining PCI DSS compliance. “Overall, we try to create these standards to be incorporated throughout the development of new systems, throughout the lifecycle of all the technology and processes they use,” Leach says. While the updates have made significant progress over the current standards, there is no mention of enforcing companies to adopt the new strategies. Also, version 3.0 does not mention changes to security in mobility. As more and more retailers begin omni-channel offerings, realizing how important mobility is to consumers, updated standards for mobility may become a pressing concern of many companies.
Are you a retailer that wants to publish your opinion?
Contact us to become part of our Editorial Community.