Earlier this month, the Payment Card Industry Security Standards Council (PCI SSC) released Version 3.0 of the Payment Card Industry Data Security Standard (PCI DSS), which includes several enhanced security requirements that will affect how businesses protect payment card data in their systems. The updated standard calls upon businesses to take a more active role in security compliance. It also addresses several common vulnerabilities in the cardholder data environment, including weak passwords, fallible authentication methods, unpatched malware protection, and inadequate threat monitoring practices. The end result is a standard that gives businesses a clearer, yet more stringent, set of baseline requirements for protecting cardholder data. Compliance with Version 3.0 is required as of January 1, 2015, although some of the new requirements will not go into effect until July 1, 2015. Until then, they are recommended as best practices.
The payment card environment has grown more complex in the three years since the PCI SSC released the previous version of the standard. The emergence of new technologies has introduced additional security risks to payment card data. In particular, mobile payments and cloud services have expanded the periphery of payment card networks, presenting new challenges to securing cardholder data. Version 3.0 looks to respond to these challenges while focusing on three overarching goals:
- First, the updated standard seeks to improve awareness and education about payment security by building guidance directly into the standard. Version 3.0 includes a new section that informs businesses about the purpose and intent behind implementing each requirement. In addition, the standard now calls upon businesses to take a more dynamic approach to compliance, turning payment card security into a “business-as-usual” practice. In other words, PCI DSS compliance is no longer a once-a-year event, but rather requires an ongoing commitment to maintaining security controls between PCI DSS assessments.
- Second, the updated standard gives businesses more flexibility to satisfy certain security requirements. For example, Version 3.0 no longer requires that businesses follow explicit fine-grained requirements for password complexity, instead allowing them to adopt password policies more customizable to their environment.
- Finally, the updates emphasize that entities should keep both their personnel and business partners informed about their respective roles in maintaining cardholder data security. For example, Version 3.0 has a new requirement that makes service providers acknowledge in writing to customers that they have security responsibility with respect to cardholder data and the cardholder data environment.
Businesses remain responsible for satisfying the same core functions required by the previous standard, which include the following: (1) building and maintaining a secure network and systems, (2) protecting cardholder data, (3) maintaining a vulnerability management program, (4) implementing strong access control measures, (5) regularly monitoring and testing networks, and (6) maintaining an information security policy.
Version 3.0 adds several new requirements to these core areas (and the PCI SSC has provided a helpful summary of changes). Many of these new requirements will not go into effect until July 1, 2015. Until then, they are recommended as best practices. Highlights of the new requirements include:
- New focus on physical security. Version 3.0 imposes new requirements for securing physical access to sensitive areas in the payment card environment, such as controlling how onsite personnel have physical access to sensitive areas that contain cardholder data and terminating such access when appropriate.
- Push for unique authenticators. Version 3.0 aims to remedy several authentication problems that have plagued the payment card industry over the past three years. In particular, the standard looks to ensure that vendors use adequate authentication mechanisms to access their client’s environments. Starting in July 2015, third-party vendors must use unique credentials for each merchant environment to which they have access.
- Emphasis on penetration testing. Version 3.0 adds new guidance on penetration testing; for example, businesses must now establish and implement a methodology for performing penetration tests on their network, which requires using a testing method based on an industry-accepted standard. Businesses must also verify that they are effectively segmenting their environment.
- Reminder to Document. All twelve of the core requirements now include sub-requirements that businesses ensure that their security controls are properly documented, in use, and known to all affected parties.
The updated security standard impacts all businesses that transact with payment cards. Any entity involved in payment card processing—including entities who store, process, or transmit cardholder data—are contractually obligated by the major payment card networks to comply with the security standard. But Version 3.0 clarifies that the requirements still apply to merchants who outsource their payment operations to third-party vendors: such merchants should remain active in their compliance efforts by managing and monitoring their vendors’ compliance with PCI DSS. Non-compliance can result in serious fines and remediation costs, and even potentially loss of the ability to accept payment cards.
Version 2.0 remains active through December 31, 2014, in order to provide businesses with time to transition. Businesses would be well advised to begin evaluating the impact of Version 3.0 on their current business practices and creating a 2014 implementation plan.
Adam Solomon, an associate in our Washington, DC office, contributed to this entry.