Explaining new requirements under PCI DSS 3.0

December 06, 2013

On January 1 2014, the third version of the Payment Card Industry Data Security Standard will go into effect, and although Version 2 won't expire for another year, experts are encouraging to start the switch soon.

According to DataGuidance, a preview of the new version showed there will be several new requirements. This included making penetration testing mandatory for all businesses,  large and small.

Other requirements include unique authentication credentials for any organisation that can remotely access customer systems, new penetration testing and documentation methods.

"The focus of the changes appears to be a move from checkbox compliance to assessing whether business processes are appropriate to manage security risks," Dr Sam De Silva, a partner at Penningtons Manches, told DataGuidance.

"At a high-level the proposals appear to be useful. There is potential to expand the scope of what is covered under PCI DSS."

As an example, Mr De Silva stated that consumer-facing online third-party payments system were not covered under the previous version. However, this could change under the new system.

Regarding new penetration testing measures, TechTarget recently explained that tests must be based on an industry-accepted level, which would include NIST SP 800-115 framework.

Leave a Reply

Your email address will not be published. Required fields are marked *