PCI Version 3

Risk Advisory/Internal Audit

By Frank Dezort

Version 3.0 of the PCI Data Security Standard is coming, and draft guidelines reflect the impact of recent retail breaches.  The big message to merchants and card issuers: When it comes to payment card security, organizations need to be worried not about threats, but about their own business processes, says Russo, general manager of the Payment Card Industry Security Standards Council.  Russo says the problem is that most organizations are not compliant at the time of these attacks. Changes they've made to network infrastructure, software and/or hardware can impact compliance, and this is definitely an area the updated DSS version addresses, he says. 

Version 3.0 of the PCI-DSS, is focused on helping organizations shore up those key process controls.  This is a change in approach since the emphasis is less on specific risks and threats and more on building controls into credit card activities and the business and technology processes surrounding credit card activities.  Changes planned for Version 3.0 are designed to help organizations take a proactive approach to protect cardholder data that focuses on security, not compliance, and makes PCI DSS a business-as-usual practice.  The key themes emphasized

  • Education and awareness - Lack of education and awareness around payment security, coupled with poor implementation and maintenance of the PCI Standards, gives rise to many of the security breaches happening today.
  • Increased flexibility - focus on some of the most frequently seen risks that lead to incidents of cardholder data compromise—such as weak passwords and authentication methods, malware, and poor self-detection—providing added flexibility on ways to meet the requirements.
  • Security as a shared responsibility - Today’s payment environment has become ever more complex, creating multiple points of access to cardholder data. Changes introduced with PCI DSS and PA-DSS focus on helping organizations understand their entities’ PCI DSS responsibilities when working with different business partners to ensure cardholder data security

Types of changes to the PCI-DSS Standards included in the new version are categorized as follows:

  • Clarification – Clarifies intent of requirement. Ensures that concise wording in the standard portrays the desired intent of requirements.
  • Additional Guidance – Explanation, definition, and/or instruction to increase understanding or provide further information or guidance on a particular topic.
  • Evolving Requirement – Changes to ensure that the Standards are up to date with emerging threats and changes in the market.

To learn more on how Schneider Downs can assist with your PCI-DSS audit needs please contact Eric Wright at ewright@schneiderdowns.com

© 2013 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax related matter.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2019 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.