Since its introduction in 2004, the Payment Card Industry Data Security Standard (PCI DSS) has been and continues to be a globally relevant baseline of technical and operational requirements designed to protect cardholder data. PCI DSS applies to all entities involved in payment card processing – including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data.
PCI Security Standards Council (PCI SSC) has recently published a document that outlines its anticipated version 3.0 changes to the PCI DSS and the PCI Payment Application Data Security Standard (PA-DSS), which won't be finalized until November 2013 and are expected to become effective January 1, 2014 with a transition period until 2015. The changes proposed for PCI DSS 3.0 include a number of additions and clarifications to current requirements, general guidance that affects several requirements or the overall PCI compliance process, and some significant changes to the last of the 12 requirements (Maintain an Information Security Policy).
According to the Version 3.0 Change Highlights, the updated versions of PCI DSS and PA-DSS will:
- Provide stronger focus on some of the greater risk areas in the threat environment
- Provide increased clarity on PCI DSS & PA-DSS requirements
- Build greater understanding on the intent of the requirements and how to apply them
- Improve flexibility for all entities implementing, assessing, and building to the Standards
- Drive more consistency among assessors
- Help manage evolving risks / threats
- Align with changes in industry best practices
- Clarify scoping and reporting
- Eliminate redundant sub-requirements and consolidate documentation
It is also worth noting that specific guidance on the use of emerging technologies (e.g., e-commerce, mobile acceptance, or cloud computing) and how PCI Standards apply are currently addressed via information supplements produced by PCI Special Interest Groups, and separate guidance documents, such as Mobile Payment Acceptance Security Guidelines for Merchants.
In the world of security standards and frameworks, PCI DSS is somewhat unique because it is implemented via contract clauses (i.e., the ability to process payment card transactions is contingent up agreement to comply). The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant. Furthermore, the bank will also most likely either terminate the relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can catastrophic to a small business, so they are taken seriously.
Individual products cannot be PCI DSS or PA-DSS compliant, but the absence or inclusion of certain security functionality (e.g., authentication, encryption and key management, and audit logging) can impact an organization's ability to achieve compliance. As such, it is important to keep an eye on the PCI DSS requirements.