PCI Council previews data security standards changes

The  is giving merchants a first look at changes that could be introduced later this year to its credit card data and payment application security guidelines.

On Thursday, the council released the seven-page “3.0 Change Highlights” document, a preview to the updated PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA DSS), which are set to be published Nov. 7.

The standards, which undergo revisions every three years, were developed to help ensure that customer card data is protected by merchants that store, transmit and process it.

Merchants will be given more flexibility in password management and additional guidance around each of the 12 core security requirements in the upcoming PCI DSS revisions.

The Payment Card Industry (PCI) Security Standards Council released draft guidance into its upcoming version 3 of the credit and debit card Data Security Standard (DSS), imposed on merchants and enforced by banks.

The changes will also require merchants to draw diagrams of how cardholder data flows through their networks.

PCI council's general manager Bob Russo said the possible amendments were meant make the guidelines easier to implement.  

"In our mind, we need to make this more of a business-as-usual type of thing, instead of you study to pass the test once a year,” Russo said.

“We have the same core 12 standards, but we have incorporated things to make this part of their everyday [operations]."

Meanwhile, the updated PA DSS, which was introduced by the council in 2008, is likely to include additional procedures for software developers who build programs that process credit card payments, including rules on managing the full lifecycle of the software and requirements for developer education.

There has been back-and-forth in the security community, and among merchants, on whether PCI DSS is burden or benefit to those expected to comply.

Organisations often cite implementation, audit costs, dealing with legacy systems and overcoming confusion over what is required as prime challenges.

Meanwhile, there are questions over whether the banks and the card brands are taking on enough of the risk.

In one landmark case, a merchant is in the midst of a court battle to recoup $13 million in fines levied against it after a 2010 breach.

Per its merchant contracts, US sportswear company Genesco compensated its acquiring banks, Wells Fargo and Fifth Third, for the fine amount. It then filed a lawsuit against Visa, which levied the penalty, to recoup that amount.

Visa imposed the penalties on the banks, which passed them down to Genesco, for non-compliance of PCI DSS that allegedly led to the breach.

In a complaint filed in a US District Court, Genesco said that Visa “had no reasonable basis for concluding that Genesco was non-compliant with the PCI DSS requirement at the time of the intrusion or at any other relevant time”.

Visa late last month lost a motion to dismiss the suit.

The proposed changes to PCI DSS and PA DSS are expected to come in November, after drafts are discussed at the council's community meetings in September and October.

The new standards will become effective 1 January next year.

According to Visa statistics, as of 31 December 2012, 95 percent of Level 1 merchants, which are those companies that process greater than six million transactions annually, have validated PCI DSS compliance.

Level 2 merchants, which process between one and six million transactions, have achieved a 90 percent rate.

Level 3 merchants, which process between 20,000 and one million transactions, are at 55 percent.

This article originally appeared at scmagazineus.com