The PCI Security Standards Council released version 3.0 of the PCI Data Security Standard (PCI DSS) and corresponding Payment Application Data Security Standard (PA-DSS), adding new security requirements and guidance for payment-card industry organizations, including merchants, payment processors, financial institutions, and service providers.

The new version will go into effect on Jan. 1, but organizations will have until Dec. 31, 2014, to make the transition from PCI DSS 2.0. In addition, some of the new security requirements will have the status of best practices until June 30, 2015.

Best practices
The PCI Security Standards Council have tried to improve fraud prevention by including a set of best practices in the new version of the standard that aims to make PCI DSS implementation part of business-as-usual activities and ensure that organizations involved in payment card processing remain compliant between annual assessments. These practices include:

• the continuous monitoring of firewalls, intrusion detection systems, antivirus products and access controls to ensure they operate as intended;
• ensuring that security control failures are detected and remediated in a timely manner;
• reviewing how planned changes to the environment like the addition of new systems or modification of existing system and network configurations impact the scope of PCI DSS and updating the security controls as needed;
• reviewing how organizational changes like acquisitions or mergers impact the PCI DSS scope; reviewing at least once a year if used hardware and software technologies are still supported by their vendors and;
• implementing separation of duties for personnel in charge of security and those responsible for operations so that no single individual has control over an entire process without independent checks.

Unfortunately, while PCI DSS 3.0 adds a number of new requirements, some of them that could help prevent common attack methods used today won’t go into effect until July 2015 and will be treated as “best practices” in the meantime.