Blog Post / Privacy & Security Law Blog
PCI DSS 3.0: Business as Usual?
12.16.13
By Randy Gainer, Attorney, CISSP, and Christin McMeley, CIPP-US
In the past, critics of the Payment Card Industry (PCI) Data Security Standard (DSS) have alleged that the DSS requirements either (1) provide little more than a minimal baseline for security with a “check-the-box” compliance approach; or (2) are written vaguely so that the Council can retroactively allege non-compliance and impose fees on merchants who claim to have been PCI DSS “compliant” at the time of the breach (see our recent Genesco post). On November 7, 2013, the PCI Security Standards Council (SSC) released version 3.0, which may address these criticisms by:
- Focusing on “security, not compliance;”
- Making PCI DSS a “business as usual practice;”
- Providing “added flexibility on ways to meet the requirements;” and
- Clarifying “the level of validation the assessor is expected to perform.”