The PCI Security Standards Council (PCI SSC), a worldwide forum that develops payment card security standards for its corporate members, has published its latest version of those standards for implementation in January, 2014.
The most recent updates include recommendations for blending the PCI Data Security Standard (PCI DSS) and the PCI Payment Application Data Security Standard (PA-DSS) into everyday business processes and best practices.
The PCI Council was created in 2006 by five of the largest global credit cards brands, American Express, Discover, JCB International, MasterCard Worldwide, and Visa Inc. It is working to keep up with the growing dependence of its some 700 members, particularly small businesses, on third party security technology providers.
“As we continue to leverage technologies like cloud and expand e-commerce and mobile environments, this (dependence) will only increase,” said Bob Russo, General Manager for the PCI SSC. “The PCI DSS 3.0 standard will help organizations better understand what they need to be aware of when working with third parties, and ensure that service providers are aware of their responsibilities to protect cardholder data.”
Version 3.0 of the standards specifically addresses issues such as evaluation of malware threats, strengthening requirements for password management, updating authentication mechanisms and the control of physical access to devices that capture payment card data. Also, the updates should help members more easily integrate payment security protection into their operations.
Russo told securitycurrent that the PCI Council has increased its focus on educating members and building awareness about standards and security issues. This is necessary because many companies find it difficult to make the standards a routine part of their business practices.
The PCI Council, whose goal is to improve the security of payment card data worldwide, including systems that store, process or transmit cardholder data, updates the standards every three years based on feedback from its constituents.
As a self-regulating organization, the PCI Council has developed its own team of qualified security assessors who review and approve the security practices of each member organization annually. However, the assessment is only a snapshot in time, and many companies stumble in their efforts to maintain the standards the rest of the year. The PCI Council hopes that its education and awareness programs will help companies improve their compliance with the PCI Council’s standards.
Gail Bronson is an accomplished technology journalist and security start-up entrepreneur. She was the Founding Managing Editor of Bloomberg and the Founding Editor of Forbes Science & Technology section and she held stints at other publications including U.S. News & World Report and Internet Week.