The Payment Card Industry Security Standards Council is introducing a new set of security requirements and recommendations for payment card companies, merchants, processors, financial institutions and services providers aimed at cutting down incidence of data theft.
The requirements and guidelines are included in the version 3.0 of the PCI Data Security Standard (PCI DSS) and will come into effect January 1 next year. Organizations and businesses have until December 31, 2014 to switch to the new standard.
The council was originally formed by major credit card providers American Express, Discovery Financial Services, MasterCard Worldwide, JCB and Visa International in 2006. The group created a body of security standards called the PCI Data Security Standards which includes directives by which businesses can measure their own payment card security policies and procedures.
Many merchants and payment processors, who passed previous PCI DSS compliance assessments, are among those who suffered significant card holder breaches, according to a report on the online technology publication Computerworld.com. That is why the latest version of the standard focuses on practices aimed at stepping up security posture.
These include continuous monitoring of firewalls, intrusion detection systems, antivirus products and access controls. The standards stress that security control failures should be detected and remediated in a timely manner.
Other items on in the document include:
- Reviewing planned changes such as addition of or modification of systems and network configuration and how they impact security controls
- Examination of how organizational changes such as mergers and acquisition will impact the PCI DSS scope
- Yearly review of hardware and software technologies are also required to ensure that these are still supported by vendors
- Separation of duties for personnel in charge of security
Some of the new requirements meant to prevent common attack methods used today will not go into effect until July 2015 and will in the meantime be treated as “best practices.”
An example of this is requirement 6.5.10. The requirement says companies should examine their software development procedures to make sure broken authentication and session management processes are dealt with in internal and external Web applications by: flagging cookies as “secure;” not exposing IDs in URLs; and by using time-outs and rotation of IDs after authentication.
There are some questions as to why the PCI DSS offers a grace period for procedures such as those in requirement 6.5.10 when they have been in common use for some time already.