The PCI Security Standards Council, an open forum for the development of payment card security standards, has published a preview of the upcoming changes to the PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS). Beginning in November, the new changes are designed to make data more secure by focusing on three key themes: increased flexibility, education and awareness, and the shared responsibility of security. Some of the proposed changes include:
- Recommendations on making PCI DSS business-as-usual and best practices for maintaining ongoing PCI DSS compliance
- Security policy and operational procedures built into each requirement
- Guidance for all requirements with content from Navigating PCI DSS Guide
- Increased flexibility and education around password strength and complexity
- New requirements for point-of-sale terminal security
- More robust requirements for penetration testing and validating segmentation
- Considerations for cardholder data in memory
- Enhanced testing procedures to clarify the level of validation expected for each requirement
- Expanded software development lifecycle security requirements for PA-DSS application vendors, including threat modeling
The Council has released this preview to ensure that organizations are as informed as possible to best prepare for the upcoming changes and to eliminate any surprises that may hamper those organizations come November. Further, this early preview allows organizations to be more prepared to review and discuss draft versions of the standards at the 2013 Community Meetings scheduled to take place in September and October.
For more information about the firm’s privacy practice, please visit our website or contact Linda McReynolds, Certified Information Privacy Professional (CIPP/US), at lgm@commlawgroup.com.
