The Payment Card Industry Digital Security Standard (PCI DSS) is an information security standard for organisations that handle credit and debit cards from the major card companies, including Visa, MasterCard and American Express. Organisations that take payments from, process or store, card details are obliged to meet the security standard. Those who fail to observe the standard can find themselves excluded from receiving credit card payments and those who lose credit card numbers, or have them stolen from them, can face hefty fines for failure to meet the standard. This note discusses a new Release 3.2 to the standard, which has significant implications for card providers and their service providers.
The standard was created in 2004 to increase controls around cardholder data and to reduce credit card fraud. It is administered by the Payment Card Industry Security Standards Council (PCI SSC), a body set up by the card companies, intended as being separate and independent of them. The standards are therefore seen as existing independently of and separately to the needs of specific card companies and reflective of general security issues affecting all issuers of credit and debit cards.
The standard consists of twelve broad principles:
Install and maintain a firewall configuration to protect cardholder data; Do not use vendor-supplied defaults for system passwords and other security parameters; Protect stored cardholder data; Encrypt transmission of cardholder data across open, public networks; Use and regularly update anti-virus software on all systems commonly affected by malware; Develop and maintain secure systems and applications; Restrict access to cardholder data by business need-to-know; Assign a unique ID to each person with computer access; Restrict physical access to cardholder data; Track and monitor all access to network resources and cardholder data; Regularly test security systems and processes; and Maintain a policy that addresses information security. The standard document describes the processes, policies and settings required to conform to these principles in quite granular detail.1
Since its release in 2004 only two major releases or revisions have been made to the standard. Version 2.0 was released in November 2010 and Version 3.0 in October 2013. A new Version 4.0 is expected in early 2017. However, a number of 'sub-releases', containing revisions and clarifications, have been made between the three major releases. The most recent, Release 3.2, contains a number of significant changes which while ostensibly minor, may have significantly implications and costs for organisations required to conform to the standard. According to the PCI SSC, these new standards must be implemented by organisations before 31st October 2016, when the prior standard Release, version 3.1, will no longer be valid.
Of the changes required by the new PCI DSS Release 3.2 a number appear to arise directly from...