The PCI Security Standards Council has released a new version of the Payment Card Industry standard known as PCI 3.0 which will take effect as of January 1, 2014.  If you’re an organization who accepts or processes payment cards, here’s what you need to know about PCI 3.0.

PCI scope:

What is it?  PCI scope refers to the method of penetration-testing required to demonstrate that the portion of the network assigned to store or process payment cards is inaccessible to the rest of the network. This is a new requirement based on the assumption that there hasn’t been enough testing of the internal network.  What’s important for merchants and service providers to note is that the Council doesn’t plan to provide a list of approved penetration-testing products or services.  This means organizations will be on their own to find and implement a testing solution.

Card skimming and point-of-sale measures

Another new requirement of PCI 3.0 involves what Troy Leach, CTO at the Council, calls “common-sense testing.” To avoid common theft practices like card skimming, closer attention will be paid to the physical point-of-sale systems looking for signs of physical tampering like the presence of disconnected wires.  Future visits from QSA or Qualified Security Assessors that conduct formal assessments for purposes of PCI compliance, can be expected to include questions about the type of programs merchants have in place and educational updates for personnel including information about card skimming and fraud.

Application security and secure coding

The Council is also putting strong emphasis on application security in the new PCI guidelines. While the Open Web Application Security Project spells out application vulnerabilities associated with PCI, many software developers are uneducated when it comes to PCI standards. This lack of knowledge regarding application security best practices has given criminals an easy access point for payment-card data theft. To combat these vulnerabilities, in PCI 3.0, organizations will now need to demonstrate that they have used and tested industry secure-coding practices. This will require developers to verify the integrity of the source code in order to withstand well-known security flaws.

Authentication and identity loom large

In another update from PCI 2.0, PCI 3.0 requires vendors to use unique authentication credentials for each customer if they had not already. This means networks using administrative access based on SSH encryption may need to make changes to ensure that security tokens, smart cards and certificates linked to individual accounts are only accessible by the intended user.

Unconventional malware may require unconventional protection

Finally, while anti-virus protection has long been a PCI standard requirement, PCI 3.0 makes some distinctions regarding how to tackle the issue of malware.  The Council has suggested that card processers may need to turn to untraditional anti-virus approaches.  To further malware risk management practices, the continual evaluation of malware threats for any systems, even those not considered to be commonly affected, is advised.

photo credit: Philip Taylor PT via photopin cc