Blog

PCI 3.0 is coming. Hide the kids.

By Rich

The Payment Card Industry Security Standards Council recently released a preview of potential changes in PCI 3.0 that will go into effect in 2014.

It looks like they read the Verizon DBIR:

The PCI Standards are updated based on feedback from the industry, per the standards development lifecycle as well as in response to current market needs. Common challenge areas and drivers for change include:

  • Lack of education and awareness
  • Weak passwords, authentication
  • Third-party security challenges
  • Slow self-detection, malware
  • Inconsistency in assessments

Nothing is final, but a few highlights worth understanding now, since they may sure as heck nail you later:

  • Better current documentation of cardholder data flow and everything within PCI scope.
  • Penetration testing is a requirement. If they are serious about this I am not sure how that will play out for the SMB side of the world.

This one I’m darn curious to see how they handle. I predict total failure:

To address compromises where the organization had been PCI DSS compliant but did not maintain that status. Recommendations focus on helping organizations take a proactive approach to protect cardholder data that focuses on security, not compliance, and makes PCI DSS a business-as-usual practice.

  • An emphasis on consistency of assessments.
  • More specifics on “daily log reviews”. Oh my.

PCI isn’t totally worthless, but I don’t expect much practical improvement to come out of the 3.0 updates. These are very reasonable holes to address, and will help, but we may be about to burden many organizations with activities they cannot possibly support. Start your SaaS engines now…

No Related Posts
Comments

I am pretty sure that Pen Testing has been part of requirement 11 for some time. I can definitely confirm it was there in version 1.1, so not sure why you reference it like its a new requirement??!

They have added expanded the requirement to require methodology but that should exist if you are doing tests, most companies will already be outsourcing this which means it isn’t relevant to them as they will be covered under the methodology of the testing company and this would be captured under the new requirement around service provider management

By D


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.