Version 3.0 of the Payment Card Industry Data Security Standard (PCI DSS) was published in early November, three years after the previous update to the standard. The new standard is due to take effect on January 1, 2014, but companies will generally have until December 31, 2014, to come into compliance. Some revisions to the standard, which may require more transition time, will not require compliance until July 1, 2015.
Enforced by the major payment card brands, PCI DSS sets detailed mandates for the security of payment card information that apply to all companies that process credit card data. Verification requirements differ depending on the scale of a company’s card processing operations. According to the PCI Security Standards Council, the self-regulatory body that administers PCI DSS, Version 3.0 is generally intended to provide covered companies with more flexibility, promote education and training, and make card security a “business as usual” effort rather than one focused on annual assessments. Some changes are aimed at tackling potential causes of data security breaches, such as malware and password weaknesses. At the same time, the changes are intended to provide more specificity about how compliance with the standard should be evaluated.
Of note for smaller businesses, PCI DSS Version 3.0 clarifies that the use of a compliant payment application does not relieve a merchant of its own PCI DSS obligations; rather, the PCI DSS review should include review of the application’s configuration and implementation. The revised standard provides guidance on how to assess PCI DSS compliance for companies that use third-party service providers to store and process card data or to provide other security-related services.