PCI DSS V.3.0: Risk Assessment Frameworks for Ecommerce, Mobile & Cloud Computing

Posted 8.19.13 by
wpadmin
Blog

The PCI Security Standards Council recently issued a press release about anticipated changes to the PCI DSS (Payment Card Industry Data Security Standards) and PA-DSS (Payment Application Data Security Standard) as a preview for the changes in the third version of the standards to be released November 2013.

Version 3.0 features even more changes than version 2.0 as a result of a three-year standard development lifecycle, meaning the council has been conducting industry research since 2010 for the latest revisions. The press release names a few key drivers for the update include:

  1. Lack of general PCI DSS education and awareness
  2. Weak passwords and authentication challenges
  3. Third-party security challenges
  4. Slow self-detection in response to malware and other threats
  5. Inconsistency in assessments

According to Troy Leach, PCI SSC chief technology officer, “PCI DSS and PA-DSS 3.0 will provide organizations the framework for assessing the risk involved with technologies and platforms and the flexibility to apply these principles to their unique payment and business environments, such as e-commerce, mobile acceptance or cloud computing.”

PCI Private Cloud

For third-party security challenges, transparency into the PCI compliant cloud can deter merchants that try to gain visibility into cloud systems and processes, meaning security can be an issue. A few ways you can gain more transparency with PCI hosting providers include:

  1. Check their PCI Report on Compliance (ROC)
  2. Check their documented security policies and procedures
  3. Verify which services are included in the PCI cloud hosting package
  4. Check that their employees are trained to the PCI standards

Read Four Ways to Gain Transparency with PCI Hosting Providers for a full description of each method.

Other proposed updates to the current PCI DSS standard include:

  • Recommendations on making PCI DSS business-as-usual
  • Best practices for maintaining ongoing PCI DSS compliance
  • Security policy and operational procedures built into each requirement
  • Guidance for all requirements with content from Navigating PCI DSS Guide
  • Increased flexibility and education around password strength and complexity
  • New requirements for point-of-sale terminal security
  • More robust requirements for penetration testing and validating segmentation
  • Considerations for cardholder data in memory
  • Enhanced testing procedures to clarify the level of validation expected for each requirement
  • Expanded software development lifecycle security requirements for PA-DSS application vendors, including threat modeling

The council is holding a few webinars on Preparing for PCI DSS and PA-DSS 3.0: Standards Change Highlights, held at the end of August and beginning of September. The webinars will outline:

  • The process for developing and updating PCI Security Standards
  • The key changes to the standards and how they impact organizations’ efforts to protect payment card data
  • The timeline for delivery of the updated standards

Get more details on registering here.

PCI Compliant Hosting White PaperFor more information about other ways to secure your servers, read about our Technical Security services.

Or, if you’re confused about how to meet technical security requirements of PCI DSS, read our PCI Compliant Hosting white paper. It discusses the impact of the PCI DSS standard on data centers and server infrastructure, describes the architecture of a PCI compliant data center both technically and contractually, and outlines the benefits and risks of data center outsourcing, and vendor selection criteria.

Related Articles:
PCI-Ready? Not Enough for Fully Compliant PCI Hosting
Obscure marketing lingo happens to the best of us, and one of those potentially deceptive terms, when it comes to compliant hosting, is -ready. Whether it’s PCI-ready, or HIPAA-ready, it’s a key indicator that the hosting provider using … Continue reading →

New Technology Fuels Global PCI DSS Compliance Security Concerns
Last month Jeremy King, the European Director for the Payment Card Industry Security Standards Council (PCI SSC) had an interview with BankInfoSecurity.com, in order to address pain points they encounter as they continue to shape the Payment Card Industry Data … Continue reading →

Achieving a Layered Data Security Solution for PCI DSS Compliance
For ecommerce websites, partnering with a PCI DSS compliant hosting provider can help you achieve many requirements of the standard while building a layered security solution to protect credit cardholder information, whether stored or merely in transit. Where should you … Continue reading →
References:
PCI Council Highlights Expected Changes to PCI DSS and PA-DSS (PDF)

About Otava

Otava provides the secure, compliant hybrid cloud solutions demanded by service providers, channel partners and enterprise clients in compliance-sensitive industries. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, Otava’s global footprint continues to expand. The company provides its customers in highly regulated disciplines with a clear path to transformation through its effective solutions and broad portfolio of hybrid cloud, data protection, disaster recovery, security and colocation services, all championed by an exceptional support team. Learn more at www.otava.com.

Get started with Otava now!

  • This field is for validation purposes and should be left unchanged.