The Payment Card Industry Security Standard Council (PCI SSC) recently released a set of anticipated changes to the PCI Data Security Standard (PCI DSS) and Payment Application-Data Security Standard (PA-DSS).
PCI SSC identified 5 challenges and key drivers for change including; 1) lack of education and awareness; 2) weak passwords, authentication; 3) third party security challenges; 4) slow self-detection, malware; and 5) inconsistency in assessments. To address these challenges, Version 3.0 changes will focus on education and awareness, increased flexibility, and a notion of security as a shared responsibility. Accordingly, the anticipated changes are designed to foster a strong, but flexible and principle-based security architecture to support unique technology, payment, and business environments. Specifically, changes introduced in Version 3.0 of PCI DSS and PA-DSS will include, among others, increased clarity on PCS DSS and PA-DSS requirements, drive more consistency among assessors, help manage evolving risks and threats, while strengthening alignment with changes in industry best practices.
Version 3.0 of PCI DSS and PA-DSS is scheduled for release in November, 2013. Although the updated standards will become effective on January 1, 2014, Version 2.0 will remain effective until December 31, 2014 to ensure adequate time for the transition.
To read the Version 3.0 Change Highlights, please access the PCI website at https://www.pcisecuritystandards.org/documents/DSS_and_PA-DSS_Change_Highlights.pdf.
Written by Maki DePalo, Associate | Alston & Bird LLP