The PCI Security Standards Council (“PCI SSC” or the “Council”) recently released Version 3.0 of the Payment Card Industry Data Security Standards (“PCI DSS” or the “Standards”). A table summarizing the changes to the previous version is available on the Council’s website. The Standards go into effect on January 1, 2014, but companies have until December 31, 2014 to make the transition from Version 2.0 to Version 3.0.

What Are the Standards and Who Must Comply? The Standards apply to all entities involved in payment card processing, such as merchants, processors, financial institutions, and service providers, and to any entity that stores, processes or transmits cardholder data and/or sensitive authentication data. Cardholder data and sensitive authentication data includes, for example, the primary account number, cardholder name, expiration date, full track data from the magnetic strip, and personal identification numbers. 

The Standards provide a baseline set of requirements to protect cardholder data, and other laws and regulations may require additional controls and practices. The Council categorizes the Standards into 12 “high-level” requirements, outlined below, and each requirement contains technical sub-requirements that companies should review carefully.

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks
  5. Protect all systems against malware and regularly update anti-virus software or programs
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by business need to know
  8. Identify and authenticate access to system components
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security for all personnel

What Are the Changes in Version 3.0? Version 3.0 of the Standards clarifies existing requirements and adds additional technical requirements that include:

  • Ensuring anti-virus solutions are actively running and cannot be disabled or altered by users
  • Evaluating evolving malware threats for systems not considered to be commonly affected by malicious software
  • Implementing coding practices that protect against broken authentication and session management
  • Implementing a methodology for penetration testing (effective July 1, 2015)
  • Requiring service providers with remote access to use unique authentication credentials for each customer
  • Requiring that authentication mechanisms, such as security tokes or smart cards, are linked to an individual account
  • Controlling physical access to sensitive areas for onsite personnel
  • Strengthening password security
  • Maintaining certain documentation, including information about which PCI DSS requirements are managed by the entity and which requirements are managed by service providers
  • Requiring providers to acknowledge in writing to its customers that it is responsible for the security of the cardholder data it holds (effective July 1, 2015)

Version 3.0 also includes a new section that aims to increase compliance with the Standards by providing recommendations for implementing the security guidelines into a company’s “business-as-usual” activities.

Why Should Companies Comply With the Standards?  Companies should review and ensure compliance with the revised Standards. The revised Standards may require companies to modify current practices, policies and customer-facing documentation. The Standards help ensure that companies that process and store payment card information are protecting cardholder data adequately and guarding against data breaches. Companies that do not comply with the Standards may face fines in the event of a data breach, class-action lawsuits, negative audit reports, and public criticism.