In August 2013, the Payment Card Industry (PCI) Security Standards Council released Highlights of new versions of the Data Security Standard (DSS) and Payment-Application Data Security Standard (PA-DSS). The Council is releasing Versions 3 of each of the Standards to about 700 Participating Organizations, including banks, merchants, security assessors, and hardware and software vendors in September 2013. The Standards will be discussed at a North American Community Meeting in Las Vegas on September 24-26 and then will be publicly released on November 7, 2013. The new Standards will become effective January 1, 2014. Entities subject to the Standards are encouraged to begin implementing the new Version 3 of the Standards as soon as possible, but the current Version 2 will remain effective until December 31, 2014.
According to the Council’s Highlights, the revised Standards will:
- Focus on some areas of greater risk in the current threat environment;
- Clarify some of the Standards requirements;
- Provide better understanding about the intent of the requirements;
- Provide more flexibility for all entities applying the Standards;
- Drive more consistency among security assessors;
- Address new risks and threats;
- Align with changed best practices;
- Clarify scoping and reporting; and
- Eliminate redundant sub-requirements and consolidate documentation.
If the new Standards accomplish these goals, it should be welcomed by security assessors and merchants. Although some assessors and technology developers have recognized that the Standards have improved data security since they were introduced 10 years ago, they have also criticized the Standards for several perceived shortcomings. For example, one Qualified Security Assessor (QSA) criticized the Standards’ requirement that QSAs must retain all pertinent assessment documents for at least three years, the requirement that each Report on Compliance completed by QSAs be lengthy and detailed, and the Council’s and card brands public comments that most breaches are caused by merchants’ and processors’ failure to comply with the Standards rather than conceding that complying with the Standards is not sufficient by itself to prevent a breach. A developer faulted the Council for being “way behind the times on the technologies that drive business” and for being “notoriously behind the times when it comes to the types of attacks that merchants face.” Other security engineers echo the latter criticism when they describe being at cyber war against attackers each day, facing constantly changing tactics from capable cyber criminals.
The Council states that the new Standards focus on “security, not compliance.” The extent to which that proves to be true will determine whether the new Standards contribute to actual data security or encourage a “checklist” mentality. The Council should recognize what many merchants, processors, and security assessors know: complying with the Standards is only one step in trying to secure payment card data.