Service providers who work with merchants to maintain and secure their payment systems will have to provide stronger authentication measures and fully meet the requirements maintained by the payment industry, according to version 3.0 of the Payment Card Industry Data Security Standards.
The standard, unveiled by the PCI Security Standards Council Thursday, prescribes a minimal level of security that merchants must meet to protect cardholder data and is enforced by the individual card brands. In addition to stronger authentication measures, it calls for thorough penetration testing to ensure payment systems are properly segmented and isolated from other systems on the corporate network.
Version 3.0 of PCI DSS takes effect Jan. 1, but merchants have until June 1, 2015, to meet all of the requirements in the revised standard. The goal of the document is to get merchants to think about protecting their payment environments throughout the year, rather than when an annual assessment is due, said Bob Russo, general manager of the PCI SSC. It includes recommended best practices and has clarifications to make validation against all the requirements clearer for assessors, Russo said.
"Everything we see from the breach reports we're getting leads us to believe that what we're doing with PCI is the right approach," Russo said. "Our message is to make sure that security becomes business as usual for merchants, and if we can get them to focus on that, we're going to see a huge improvement ahead of where we're at right now."
PCI DSS helps educate small and midsize business in the security controls that are needed to protect sensitive data, said Jon Sargent, director of technology architecture at Virginia Beach, Va.-based solution provider Endurance IT Services. Businesses turn to the channel for ways to solve data security, and many of their budgets are allocated based on meeting compliance mandates, Sargent said. Smaller firms need more of a helping hand, he said.
"A lot of small businesses are or should be complying with the standard but they may not be aware of the need for compliance," Sargent told CRN. "Many small businesses are not in compliance and do not understand where their responsibility lies."
PCI DSS is the credit card industry's response to a litany of data security breaches, driven by financially motivated cybercriminals out to steal account credentials, personally identifiable information and credit card data.
Version 3.0 of PCI DSS also changes the layout of the document in an effort to make it easier to track security controls throughout all 12 core requirements. The 12 requirements outline physical access measures, firewall configuration, authentication and access control, encryption, antivirus, application security, system monitoring, logging, and policy setting and enforcement.
NEXT: New Service Provider Requirements, Pen Testing Measures