Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

Version 3.0 of the PCI Data Security Standard and Payment Application Data Security Standard published

On 7th November 2013 the PCI Security Standards Council (PCI SSC) published version 3.0 of the PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS). Available now on the PCI SSC website, version 3.0 becomes effective on 1st January 2014, however some of the changes will not become requirements until 1st July 2015. Version 2.0 will remain active until 31 December 2014 to ensure adequate time for organizations to make the transition.

Changes are made to the standards every three years, based on feedback from the Council’s global constituents per the PCI DSS and PA-DSS development lifecycle and in response to market needs. Proposed changes for version 3.0 were shared publicly in August, and Participating Organizations and assessors had the opportunity to discuss the draft standards at the 2013 Community Meetings prior to final publication.

Version 3.0 will help organizations make payment security part of their business-as-usual activities by introducing more flexibility, and an increased focus on education, awareness and security as a shared responsibility.

New requirements include:


  • Req. 5.1.2 - evaluate evolving malware threats for any systems not considered to be commonly affected;
  • Req. 8.2.3 - combined minimum password complexity and strength requirements into one, and increased flexibility for alternatives;
  • Req. 8.5.1 - for service providers with remote access to customer premises, use unique authentication credentials for each customer;
  • Req. 8.6 - where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.) these must be linked to an individual account and ensure only the intended user can gain access;
  • Req. 9.3 - control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination;
  • Req. 9.9 - protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution;
  • Req. 11.3 and 11.3.4 - implement a methodology for penetration testing; if segmentation is used to isolate the cardholder data environment from other networks, perform penetration tests to verify that the segmentation methods are operational and effective;
  • Req. 11.5.1 - implement a process to respond to any alerts generated by the change- detection mechanism;
  • Req. 12.8.5 - maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity;
  • Req. 12.9 - for service providers, provide the written, agreement/acknowledgment to their customers as specified at requirement 12.8.2.


  • Req. 5.1.5 – payment application developers to verify integrity of source code during the development process;
  • Req. 5.1.6 – payment applications to be developed according to industry best practices for secure coding techniques;
  • Req. 5.4 - payment application vendors to incorporate versioning methodology for each payment application;
  • Req. 5.5 - payment application vendors to incorporate risk assessment techniques into their software development process;
  • Req. 7.3 - application vendor to provide release notes for all application updates;
  • Req. 10.2.2 - vendors with remote access to customer premises (for example, to provide support/maintenance services) use unique authentication credentials for each customer;
  • Req. 14.1 – provide information security and PA-DSS training for vendor personnel with PA-DSS responsibility at least annually.

Organizations can access the standards and detailed summary of changes from version 2.0 to version 3.0 here.

Comments received by Continuity Central about Version 3.0 of the PCI Data Security Standard and Payment Application Data Security Standard

Kurt Hagerman, director of information security at FireHost:

“The revisions made for the latest version of the PCI standards will go a long way to improving the quality of assessments and reducing overall risk. Whereas with previous iterations of the standards companies would be told how to meet each requirement, with PCI DSS 3.0 they are given both a more detailed explanation of the requirement and the ways of meeting it – a much more effective approach indeed.

“There is however no denying that the new standards will mean an increase in time and costs for organizations to remain compliant. Organizations only reaching the bare minimum standards of PCI DSS 2.0 right now will need to make significant revisions to their compliance strategy to reach 3.0 and I suspect SMEs will have the most to do in this regard.

“For example, there is official guidance within the new PCI DSS 3.0 regarding the implementation of security into ‘business as usual activity’, as a means of maintaining on-going PCI DSS compliance:
Requirement PCI DSS Update Purpose / Need Addressed General Added guidance for implementing security into business-as-usual (BAU) activities and best practices for maintaining on-going PCI DSS compliance. To address compromises where the organization had been PCI DSS compliant but did not maintain that status. Recommendations focus on helping organizations take a proactive approach to protect cardholder data that focuses on security, not compliance, and makes PCI DSS a business-as-usual practice.

“It’s a great idea in principle but I can see many organizations pulling their hair out trying to follow the payment council’s recommendations here. For many businesses PCI compliance has traditionally been a once-a-year exercise in reviewing business practices and ensuring the regulations are met. Constant monitoring of PCI as part of business-as-usual will require additional investment in resources and personnel for any organization. Financial and ecommerce organizations may also need to revaluate their current partner programmes but, if this means reducing risk and improving security, this can only be considered as a positive step.”

Bernard Zelmans, general manager EMEA at FirMon:

“There have been few subjects that have stirred more controversy in information security than PCI DSS. Some say it has done more to raise the level of security preparedness of millions of merchants than anything before, whereas others claim it is responsible for dumbing down security to a checkbox standard.

“Whatever your opinion, the new PCI DSS 3.0 appears to be moving from a security check box posture to a more holistic risk management approach. This will hopefully entail a more security centric approach to PCI compliance rather than the least common denominator approach of earlier versions of PCI. Moving to a risk management centric goal is one that many within the industry have clamoured for, and if the new risk based approach will result in organizations adopting better security standards, then PCI DSS 3.0 will have succeeded where its predecessors have come up short.

“If nothing else, the PCI council and its members responsible for drafting the new version of the standards have listened to those in the industry who wanted to see PCI DSS evolve. This should result in greater support for PCI DSS within the information security industry.”

Michael Aminzade, director/delivery for EMEA & APAC at Trustwave:

“Overall, the Council has made some excellent improvements to the standard, but the risk management area of PCI 3.0 still needs more work. The main area of concern is that even though the new standards references risk management strategies that must be met, the standard doesn’t enforce companies to adopt any of those strategies. In particular the standard doesn’t address the fact that risk assessments need to be done by an industry-certified professional and are only performed on an annual basis.

“Also, PCI DSS 3.0 does not include any changes surrounding mobile security. Merchants are struggling with how to protect mobile payment solutions and integrating mobile devices into their organizations. The Council released a best practices guide for mobile security more than a year ago, but it would be more beneficial to release additional guidance pertaining to mobile data security. As revealed in the 2013 Trustwave Global Security Report, we saw a 400% increase in mobile malware in 2012. The increase goes to show mobile security is essential when it comes to protecting a business’s valuable information.

“Lastly, the PCI DSS 3.0 standard needs a section that highlights the expanded use of security tools (beyond vulnerability scanning) that all merchants should use. Merchants should be using security tools that demonstrate their systems are configured to meet the compliance requirements. There are many options on the market that can easily perform the following functions: identify improper use of guest and administrator accounts; find weak and default passwords; perform a network inventory and validate current antivirus software. PCI DSS 3.0 is a good opportunity to mandate that merchants use these tools so that they can better demonstrate they are in compliance. Security is now so complex that some merchants do not understand how to interpret the PCI requirements. They need recommendations pointing to tools they can use that help them become compliant.”

Steve Hall, director of PCI solutions for Tripwire:

“Three year cycles seem like forever and this was supposed to be delivered in September. PCI DSS has been taking all the feedback they got on the proposed changes and trying to address it. The fact that they’re putting the rubber stamp on the new standard is a big deal however, the standard is all that they are committing to: the supplemental documents, including the reports and network diagrams, won’t be released until March. This will significantly delay updated audit procedures and testing standards.

"The good news is that PCI 3 includes new reporting templates with reporting guidance – the PCI community is definitely looking forward to this. The bad news is the report on compliance format is still in development - they’re tentatively committed to have this released by March. This means that while the new standard takes effect on January 1st, 2014, the QSA will not have any way to determine if they are testing the right procedures until March and they won’t be able to provide any reports until 90 days later. Even though V2 compliant vendors will have a one year grace period, this gap is going to be a significant friction point between the standards body, merchants and service providers, and the QSAs.”

Mark Kedgley, CTO, New Net Technologies

The new and updated version of the PCI Data Security Standard is as much about refining and improving the protection afforded by the DSS as re-launching the standard and attempting to galvanize renewed focus onto PCI compliance. Many organizations have still chosen to delay the implementation of their PCI program, being wary of the resource requirements necessary to manage PCI compliance. This new version of the PCI DSS makes it harder to continue to delay adoption and this will undoubtedly be the time that many organizations decide to face the music.

As well as the detailed changes in the new version, upping the ante for secure application development and more rigorous penetration testing, the Security Standards Council have made it clear that they expect merchants to take a more continuous approach to operating security best practices. ‘Gesture-PCI compliance’ is still commonplace: going through the motions to be seen to be acting as a PCI Compliant organization during an audit. The annual audit should ideally be more of a validation that everyday operational procedures are sound allowing the QSA to act more as a coach or mentor for security and less of a finger-wagging traffic warden.

If the new version of the PCI DSS achieves anything, it will hopefully be to get the message across that merchants need to operate securely 365 days a year.

Make a comment

•Date: 8th November 2013 • World •Type: Article • Topic: ISM

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here