If you follow credit card security news, you’re probably aware that by November of this year, the PCI Security Standards Council will release new PCI DSS standards. PCI DSS 3.0, as it’s called, is an updated version of the PCI standards with a new focus and more stringent expectations for merchants and payment processors.
The new PCI requirements follow in the wake of a number of high-profile data breaches and increased pressure on payment processors and merchants to protect their customers’ data. It seems especially fitting, then, that PCI 3.0 is aimed towards improving the regular security practices of processors and businesses. In other words, PCI 3.0 is placing less emphasis on achieving compliance, and more on achieving true information security. (You can view the proposed changes for yourself on the PCI Security Standards Council website.)
In terms of changes to the requirements themselves, many of the big alterations focus on the security practices of merchants and data handlers. For instance, according to an interview with Bob Russo, the general manager of the PCI Security Standards Council, almost every requirement in the PCI guidelines carries a section emphasizing the security policy and operational procedures for that guideline. This is in contrast to PCI 2.0, where all the security and operations guidelines were listed together, in a single requirement.
PCI 3.0 is also focused on making security more flexible and responsive. The new guidelines give more flexible requirements for the length and complexity of passwords, as well as requirements that all default passwords must be changed. Merchant devices must also undergo more robust penetration testing to protect against hacking or malware injection.
Overall, Russo says that the goal of PCI 3.0 is to provide merchants with a “strong but flexible security architecture,” rather than just a checklist of items that must be completed in order to achieve certification.
Another major focus of the updated guidelines is education. According to Russo, a lack of education and awareness is one of the major contributing factors in many data breaches – merchants and employees simply don’t have a strong background in how to keep the data they handle secure.
In order to further this goal, the PCI council has put a lot of effort into making the guidelines and standards themselves much easier to understand. Tips and advice that used to be contained within the “Navigating PCI” resource guide will now be included in the standards themselves, so security providers and data handlers at every level can understand and implement the standards effectively.
So what does this mean for merchants? In effect, to achieve PCI compliance, you’ll have to be more aware and more vigilant with your security practices at all times, rather than making updates once a year to meet the compliance obligations during review. Password management, encryption standards, and maintaining education for yourself and your staff are going to be much bigger parts of the new PCI, and those are not activities you can simply perform once a year in order to check them off.
Of course, this is exactly the intent of the PCI council. In the interview, Russo states that he hopes the new guidelines “…will help organizations move away from the checkbox mentality that everybody generally has when you talk about compliance.” In other words, PCI compliance will no longer be a simple list of requirements to be met. It will be a guide for achieving real digital security and cultivating a mindful attitude toward security inside your company.
In that sense, tokenization provides a perfect solution for staying ahead of the PCI compliance requirements. Tokenization effectively removes your sensitive data from the scope of PCI DSS, and thus makes it far simpler for you to achieve compliance – not to mention the fact that it keeps the data secure. In effect, it’s a solution that provides the security PCI DSS 3.0 strives for while lessening your compliance obligations at the same time.
To try out our tokenization system for yourself, head over to our registration page and sign up for our free 30-day trial. The only risk is the one you get from not using our service.