Most of you
have heard by now that an updated version of PCI Data
Security Standard (PCI DSS) is due for publication in November. In fact,
the impending release of Version 3.0 has occasioned a fair amount of
hand-wringing among some merchants and other members of the payment processing
community, as changes to the PCI DSS could conceivably force organizations to
make substantial upgrades to their systems and increase the difficulty of
staying PCI compliant. Much of the mystery, however, was resolved at the
recent seventh Annual North American PCI Community Meeting, attended by 1300
payment processing professionals from no less than 25 countries. Among
other attractions offered by the Meeting, the attendees were allowed a glimpse
at Version 3.0. Several participants have already reported on what they
found in the new and improved PCI DSS.
Keep in mind that the official publication date for Version 3.0 is still several weeks away, and at this point, it hasn't been finalized. It's possible that a few more changes will be introduced in the intervening time. Nonetheless, the Standard that was presented at PCI Community Meeting is almost certain to be substantially the same as the one that will be released in November. The consensus seems to be that version 3.0 has been changed more than a little from the previous version, but less than a lot.
Among the reported changes:
- Additional guidance on detecting compromised POS terminals.
- Additional responsibilities for third-party providers that maintain data protection services.
- Tweaks to Requirement 6, adding responsibilities for those in charge of PCI audits (e.g., Qualified Security Assessors).
- Tweaks to Requirement 11, providing additional guidance relating to penetration testing and similar procedures.