PCI DSS 3.0 is now available

Today the PCI Security Standards Council (PCI SSC) published version 3.0 of the PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS).

Version 3.0 becomes effective on 01 January 2014. Version 2.0 will remain active until 31 December 2014 to ensure adequate time for organizations to make the transition.

Changes are made to the standards every three years, based on feedback from the Council’s global constituents per the PCI DSS and PA-DSS development lifecycle and in response to market needs. Proposed changes for version 3.0 were shared publicly in August, and Participating Organizations and assessors had the opportunity to discuss the draft standards at the 2013 Community Meetings prior to final publication.

Version 3.0 will help organizations make payment security part of their business-as-usual activities by introducing more flexibility, and an increased focus on education, awareness and security as a shared responsibility.

Overall updates include specific recommendations for making PCI DSS part of everyday business processes and best practices for maintaining ongoing PCI DSS compliance; guidance from the Navigating PCI DSS Guide built in to the standard; and enhanced testing procedures to clarify the level of validation expected for each requirement. New requirements include:

PCI DSS

• Req. 5.1.2 – evaluate evolving malware threats for any systems not considered to be commonly affected
• Req. 8.2.3 – combined minimum password complexity and strength requirements into one, and increased flexibility for alternatives
• Req. 8.5.1 – for service providers with remote access to customer premises, use unique authentication credentials for each customer*
• Req. 8.6 – where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.) these must be linked to an individual account and ensure only the intended user can gain access
• Req. 9.3 – control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination
• Req. 9.9 – protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution
• Req. 11.3 and 11.3.4 – implement a methodology for penetration testing; if segmentation is used to isolate the cardholder data environment from other networks, perform penetration tests to verify that the segmentation methods are operational and effective
• Req. 11.5.1 – implement a process to respond to any alerts generated by the change- detection mechanism
• Req. 12.8.5 – maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity
• Req. 12.9 – for service providers, provide the written, agreement/acknowledgment to their customers as specified at requirement 12.8.2.

PA-DSS

• Req. 5.1.5 – payment application developers to verify integrity of source code during the development process
• Req. 5.1.6 – payment applications to be developed according to industry best practices for secure coding techniques
• Req. 5.4 – payment application vendors to incorporate versioning methodology for each payment application
• Req. 5.5 – payment application vendors to incorporate risk assessment techniques into their software development process
• Req. 7.3 – application vendor to provide release notes for all application updates
• Req. 10.2.2 – vendors with remote access to customer premises (for example, to provide support/maintenance services) use unique authentication credentials for each customer
• Req. 14.1 – provide information security and PA-DSS training for vendor personnel with PA-DSS responsibility at least annually.