The next version of the Payment Card Industry Data Security Standard (PCI DSS) is due for release on November 7, 2013, along with a new version of the Payment Application Data Security Standard (PA-DSS). A preview of the changes was given by the PCI Security Standards Council (PCI SSC) last week, and there will be more changes from the current version 2.0 than there were between 1.2 and 2.0. The changes will include some new sub-requirements intended to make PCI compliance more of an ongoing part of daily business. Some of the proposed-but-not-yet-official changes include:
- Policy guidance and operational procedures will be given with each requirement
- Eliminate redundant sub-requirements
- Requirement to maintain an inventory of all systems in PCI scope
- More clarification on testing procedures for each requirement and what they need to be able to show
- More flexibility around methods of mitigation, including password strength and complexity requirements
- New requirements for the security of point-of-sale terminals
- Clarification on log review requirements, to allow more flexibility on review of less-critical log information
- Guidance regarding memory-resident cardholder data
- Strengthened requirements around penetration testing, and validation of network segmentation.
These changes are highlighted in the document “PCI DSS and PA-DSS Change Highlights” on the PCI SSC website.
The new standards will become “active” on January 1, 2014, but businesses can continue to use the 2.0 standard until the end of 2014. Some of the new subrequirements, which may take some additional time to implement, will remain as “best practices” rather than mandatory for compliance until July 1, 2015. After that, compliance with all of 3.0 will be required. EarthLink will be helping all of its customers stay compliant with our PCI Compliance Validation Portal, but you can also do it yourself (there’s just a lot to learn)!