The Payment Card Industry Security Standards Council (PSI SSC) has upped the ante on payment card data security and brought in a new three-year compliance cycle for merchants and payment processors.
The recently unveiled 3.0 version of the Payment Card Industry Data Security Standard (PCI DSS) includes more than a dozen new compliance requirements aimed at strengthening security for buyers.
The PCI DSS was first introduced in 2004 as a way to guide merchants in protecting sensitive data. This is the first time it has been updated since 2010.
Key changes include Requirements 11.3 and 11.4, which now forces organisations to practice a penetration testing program to demonstrate that the cardholder data environment (CDE) is divided adequately. This comes on top of the already in place requirements that mandate scanning vendors gauge CDE every three months.
Chief technology officer with the PCI SSC Troy Leach believes that this will be the change that makes the greatest impact on payment card security.
While many are happy about the new requirements, not all merchants are smiling at the idea of more compliance costs. Unfortunately, with the threat environment expanding every day, tighter security is a must.