This page contains a Flash digital edition of a book.
DIARY


NEW PCI STANDARDS ON THE WAY T


he Payment Card Industry (PCI)


body in charge of the PCI Data Security Standards (PCI DSS) has highlighted payment


data security areas retailers will need to prioritise in coming months. The PCI Security Standards Council (PCI SSC) earlier this summer released highlights of expected changes, which include new requirements for point- of-sale (PoS) and password security, with a greater overall emphasis on education and awareness (PoS, passwords and education lead new PCI changes, RetailTechnology.co.uk, 15 August 2013). Retail Technology spoke to Jeremy


King, PCI SSC European director, about the next version 3.0 of the PCI DSS and Payment Application (PA) standards to be published in November. King advised retailers to review the PCI DSS and PA DSS version 3.0 Changes Highlights document, which includes a preview of new requirements for PoS terminal security, increased flexibility and education around password strength and complexity and more robust requirements for penetration testing and validating segmentation. It also covers the pending v3.0 considerations for the use cardholder data in memory. “Feedback from the industry and


what we’re seeing in the market in terms of security challenges and compromises are the drivers for the changes we make to the standard,” he said. “Memory scraping compromises is something we’re seeing a lot of – where hackers are able to access a terminal and where the credit card info has to be in the clear for processing purposes, so we’re looking at ways to build more robust mechanisms for protecting memory. It’s challenging because we don’t want to make it too burdensome for smaller merchants, so we have to be careful about how we address this.”


www.retailtechnology.co.uk Changes to the standards are made


based on feedback from the Council’s global constituents as per the PCI DSS and PA DSS development lifecycle and in response to market needs. Key drivers for the v3.0 updates are lack of education and awareness; weak passwords and authentication challenges; third party security challenges; slow self-detection in response to malware and other threats, and inconsistency in assessments. King added: “A lot of updates planned


are designed to help retailers better understand the intent of requirements and how to properly implement and maintain controls across their organisation.” This will take the form of


recommendations on making PCI DSS business-as-usual and best practices for maintaining ongoing PCI DSS compliance, with security policy and operational procedures built into each requirement. Enhanced testing procedures will clarify the level of validation expected for each requirement and expanded software development lifecycle security requirements for PA DSS application vendors, including threat modelling, will also be covered. “With this version we’re really


focusing on helping organisations shore up these controls by, for example, adding clarification that default passwords for security software like file integrity monitoring must be changed upon installation, by focusing daily log reviews on security-relevant logs and critical


DATE FOR THE DIARY


PCI DSS and PA DSS 3.0 will be published on 7 November 2013. The standards become effective 1 January 2014, but version 2.0 will remain active until 31 December 2014 to ensure adequate transition time.


systems, and by enhancing controls in PA DSS for payment applications to enforce changing of default vendor passwords during the installation process,” said King. “At the same time, more rigorous


testing procedures for validating proper implementation of requirements will help organisations drive and maintain controls across their business. Overall, the updates will give organisations a strong but flexible security architecture with principles that can be applied to their unique technology, payment and business environments.” Despite this early guidance, King


highlighted that these v3.0 updates are still under review by the PCI community. Final changes will be determined after the upcoming PCI Community Meetings (see Events, page 5) and incorporated into the final versions of the PCI DSS and PA DSS to be published in November. Based on feedback from the industry,


the Council moved from a two-year to a three-year standards development lifecycle in 2010 to provide a longer period to gather feedback and more time for organisations to implement changes before each new version is released.


Autumn 2013 09


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60