Skip to content ↓ | Skip to navigation ↓

The PCI Security Standards Council (PCI SSC) has officially released the PCI DSS v3.0 compliance standards, but much remains to be done before merchants, service providers and the auditors will know how the new mandates will impact the payments industry.

In September, the PCI Security Standards Council (PCI SSC) released drafts of version three of the PCI DSS and PA-DSS which included six new requirements that are to be considered best practices until they officially become compliance requirements in mid-2015.

“PCI SSC has been taking all the feedback they got on the proposed changes and is trying to address them,” said Steve Hall, director of PCI solutions for Tripwire, who has over 20  years of expertise in PCI compliance and works with seven of the ten largest retailers in the world.

“The fact that they’re putting the rubber stamp on the new standard is a big deal, however, the standard is all that they are committing to – the supplemental documents, including the reports and network diagrams, won’t be released until March. This will significantly delay updated audit procedures and testing standards,” Hall said.

The six new requirements cover:

  • 6.5.6 – Insecure handling of PAN and SAD in memory
  • 6.5.11 – Broken authentication and session management
  • 8.5.1 – Unique authentication credentials for Service providers with access to customer environments
  • 9.9 – Protecting of point-of-sale (POS) devices from tampering
  • 11.3 – Developing and implementing a methodology for penetration testing
  • 12.9 – Additional requirement for service providers on data security

“The good news is PCI 3 includes new reporting templates with reporting guidance – the PCI community is definitely looking forward to this. The bad news is the ‘report on compliance’ format is still in development – the standards committee has tentatively committed to have this also released by March.

This means that while the new standard takes effect on January 1, 2014, QSAs will not have any way to determine if they are testing the right procedures until then, and they won’t be able to provide reports until 90 days later.

“Even though PCI DSS v2 compliant vendors will have a one year grace period, this gap is bound to be a significant friction point between the standards body, merchants and service providers, and the QSAs,” Hall said.

Read More Here…