PCI DSS Version 3.0: No Need to Worry


Release of the new Payment Card Industry Data Security Standards (PCI DSS) Version 3.0 from the PCI Security Standards Council (PCI SSC) is expected November 7, 2013. Are you worried? You shouldn’t be. 

As you might expect, there’s been a recent rash of PCI DSS 3.0 speculation, opinion and insight posted in tech articles, blogs and whatnot editorials, running the gamut from help to hype. Many pieces are calling it a “quandary” since the proposed standards updates were announced in August. What will it mean? Things you must know. What you must do. How to get through it. What are the costs? You know the drill. All good questions and thought starters.

But really, you can relax.  

First, we all knew PCI DSS updates were coming, right? After all, it is Version 3.0. As they say, “this ain’t our first rodeo.” It’s part of the PCI SSC’s defined 36-month lifecycle. But it’s designed with eight stages ensuring a gradual phasing-in of new versions of standards—and with a reasonable window for implementation to prevent organizations from falling into noncompliance once changes are published. As I mentioned, the PCI SSC released proposed changes in August in order to invite feedback. The official version will be published this month.  Implementation of new PCI DSS will begin January 1, 2014 and PCI DSS 2.0 compliant organizations will have until January 1, 2015 to move to the new standards. There’s adequate time to make the transition.  

Secondly, and this is just my view from 30,000 feet—it’s a revision (emphasis on “vision”). It’s not a re-creation. With Version 2.0 under our belts, the foundation and structure for PCI DSS are already there. Most notably, we see a welcomed shift in perspective in Version 3.0, from “compliance” to “security.” In other words, new emphasis is placed on security—and the prevention of breaches and data loss rather than simply “compliance,” meeting standards and making the grade on audits. Lack of education, weak security, third-party security and slow malware detection are among the change drivers framing the following overarching themes in the proposed PCI DSS Version 3.0:

  • Education and Awareness: Updates are geared towards education, best practices and accountability to help organizations make security a part of their culture and to properly implement and maintain security processes and controls throughout their businesses. The emphasis is on payment processing and data security rather than simply verifying specific security technologies are in place.
  • Increased Flexibility: Changes focus on frequently seen risks that lead cardholder data compromise such as weak passwords and authentication methods, malware and poor self-detection, providing added flexibility to address and mitigate common risks. At the same time, more rigorous testing for validating proper security implementation will be introduced with a proactive, continuous ”business-as-usual” approach to PCI DSS compliance, rather than focusing on the annual audit “fire drills.”
  • Security as a Shared Responsibility: With a complex payment environment creating multiple points of access to cardholder data, the new version adds guidance to cloud providers and businesses to ensure there is ‘shared responsibility.’ I might add this only heightens the need for businesses to partner with a trusted, certified PCI compliant data center services provider.
  • Emerging Technologies: Standards are constructed so that the principles can be applied however and wherever cardholder data is processed, transmitted or stored including e-commerce, mobile acceptance and cloud computing.

So, what do you need to worry about? Cybercriminals. They are relentlessly advancing their levels of sophistication, which is why advancing security through enhanced PCI DSS requirements is necessary. No doubt, you heard about the latest major security breach (October, 2013)—hackers accessed names, credit or debit card numbers and expiration dates for up to 2.9 million Adobe customers. The need is solid. 

So relax. There’s time. There’s work to do, but you do have time.

And with a trusted service provider, it should be fairly seamless and worry-free. That’s where we can help. Windstream is presently a certified PCI DSS Version 2.0 “Level 1” service provider with plans to quickly make the transition to Version 3.0. Talk to a trusted Windstream advisor to see how we can help ensure your compliance. 

Be sure to check back at the Windstream blog. We’ll review the final PCI DSS Version 3.0 and provide updates if there are changes to the proposed requirements. We promise. As we said, this ain’t our first rodeo.