Merchants have until the end of the year to comply with version 3.0 of the PCI DSS standard, which was introduced in November 2013.
A key theme in the version is to reinforce how merchants should view PCI compliance within the context of outsourcing to third party cloud service providers and other outsourcers.
“You’ve seen the majority of the data breaches reported [involved] third parties having access to sensitive information,” Leach said.
“We should have expected it [well before the big retail breaches] because as an industry there is more outsourcing going on, more dependencies on outsourced service providers and third party software services.”
One of the main problems was that merchants had confused the PCI compliance their cloud service providers offered via their contracts - related to protecting the merchant's credit card details - has also covered the services the merchant offered customers that were underpinned by the cloud service.
“They thought that once they had outsourced to some random third party, that their responsibility was done,” Leach said. “That was never the case – they are still responsible to protect it.”
Version 3.0 therefore provides new requirements on third parties. Merchants have also separately been handed documents that Leach describes as “ammunition” to seek better security controls from cloud service providers.
