Although cyberspying emerged as the most talked-about security threat in 2010, traditional data security breaches continue to make headlines. In October, a hacker breached an Ohio State University server containing the personal data of 760,000 people, including names, addresses, Social Security numbers and dates of birth.
No credit card numbers were involved, but the incident points to the need for greater data security protection. Credit card numbers are especially vulnerable to theft because they are easily converted into money. That’s why the Payment Card Industry Security Standards Council (PCI SSC) has released a new version of the PCI Data Security Standard (DSS) and Payment Application Data Security Standard (PA-DSS).
Based upon feedback the Council received from merchants, banks, processors and others in the PCI community, the new release is designed to help stakeholders better understand the credit card industry’s security requirements and ease implementation of the security standard. A summary of changes to the standards was shared with the market prior to the release, highlighting revisions, clarifications, additional guidance and evolving requirements.
The PCI DSS, mandated by Visa, MasterCard and other card issuers, requires “all merchants with internal systems that store, process or transmit cardholder data” to comply with 12 key data protection measures and submit to security audits. Under the rules, companies must protect cardholder transaction data through logical and physical access controls, activity monitoring and logging, encryption and regular network scans. Companies could face penalties of up to $500,000 for breaching customer credit card information.
Payment applications that are used to store, process and transmit cardholder data are governed by the PA-DSS standard, which is derived from the PCI DSS Requirements and Security Assessment Procedures. Use of a PA-DSS-compliant application by itself does not make an entity PCI DSS-compliant; that application must be implemented into a PCI DSS-compliant environment. However, payment applications should facilitate PCI DSS compliance.
Version 2.0 does not introduce any new major requirements. The majority of changes are modifications to the language that clarify the meaning of the requirements and make understanding and adoption easier for merchants. Key revisions serve to reinforce the need for a thorough scoping exercise prior to assessment in order to understand where cardholder data resides; promote more effective log management in securing cardholder data; allow organizations to assess and prioritize vulnerabilities using a risk-based approach that is based on their specific business circumstances; and accommodate the unique environments of small merchants to simplify their compliance efforts.
The new standards became effective January 1, 2011, but validation against the previous version of the standard (1.2.1) will be allowed until December 31, 2011. This gives organizations more time to understand and implement the new versions of the standards as well as provide feedback throughout the process. However, the Council encourages organizations to transition to the updated version as soon as possible. Starting January 1, 2012, all assessments must be under version 2.0 of the standards. The release of version 2.0 begins a new three-year lifecycle for standards development, which streamlines the development process by aligning DSS, PA-DSS and PIN Transaction Security (PTS) on a similar three-year schedule. The lifecycle also allows for minor revisions to be issued throughout the cycle as necessary.
The Council has launched a new Web site with updated materials and navigational tools aimed at providing its diverse stakeholders with the targeted information they need to understand the standards and how to apply them in their organizations. As part of a broader initiative to help small merchants develop their PCI security programs, it also includes a dedicated site for this key group with resources to address their unique environments.
The PCI SSC is a global, open industry standards body providing management of the PCI DSS, PA-DSS and PTS requirements. The standards, detailed summary of changes and supporting documentation can be found at https://www.pcisecuritystandards.org/ security_standards/documents.php
