New PCI 3.0 Standards Will Take Effect in 2014

WAKEFIELD, Mass. -- The Payment Card Industry Security Standards Council introduced PCI 3.0, new and updated security and operation procedures for retailers. The new payment card industry (PCI) standards will go into effect Jan. 1.

According to the Council, the changes were driven by feedback from all participating organizations and stakeholders during the three-year lifecycle of the PCI 2.0 standard.

The main proposed changes are:

• Security policy and operation procedures built into each requirement;
   
• Guidance for all requirements within the standard;
   
• More robust requirements for penetration testing and validating segmentation;
   
• Recommendations on making Payment Card Industry Data Security Standards (PCI DSS) business-as-usual and best practices for maintaining ongoing PCI DSS compliance;
   
• Increased flexibility and education strength regarding password strength and complexity;
   
• New requirements for point-of-sale terminal security;
  
• Consideration for cardholder data in memory;
   
• Enhanced testing procedures to clarify the level of validation expected for each requirement; and
   
• Expanded software development lifecycle security requirements.

"PCI 3.0 will help to drive improved security and compliance due, in part, to many clarifications," Randolph Simonetti, managing director of Verizon Communication Inc.'s Payment Card Industry Services, told CSNews Online. "PCI [3.0] is not significantly more difficult to comply with than 2.0, and it even allows more flexibility to achieve security goals in the standard through risk management and education."

Convenience store retailers should focus on the changes around validation and penetration testing, Simonetti advised, which are "critical and will help to better align security and compliance."

According to Gray Taylor, executive director of PCATS, PCI 3.0 is mostly a clarification of old specifications, with a highlight on new threat vectors that have emerged between versions. However, one thing is missing from the new standards: radically simplified risk-management guidelines and compliance processes for small merchants.

"By [the Security Council's] own numbers, Level 1 is at full compliance and Level 2 is nearly there. So, what is left is the huge portion of small merchants (that includes 95,000 convenience stores) with no standing tech departments, trying to figure out this compliance," Taylor said in an email to CSNews Online. "Our objective, working with other trade groups, directly with the credit card brands and [the Council], is to have new SQA (software quality assurance) released next year targeting this 'forgotten' segment."

Costs Associated With Compliance

C-store retailers can expect some compliance costs with PCI 3.0, depending on their size, but the costs of compliance are much lower than noncompliance, Simonetti told CSNews Online.

"Based on Verizon's own caseload over a five-year period, the average cost of noncompliance ($7 million) is about three times the average cost of compliance ($2.5 million), while the PCI assessment cost is about five percent to 10 percent of total cost of compliance," Simonetti explained. "The estimate is highly dependent on the size of the company and its relationship to credit cards. Our experience is that PCI DDS assessments cost between $30,000 for simple centralized information technology in a single country environment, to $1.5 million per year for complex information technology across a worldwide distributed environment."

The Wakefield, Mass.-based PCI Security Standards Council is an open global forum that is responsible for the development, management, education and awareness of the PCI Data Security Standard and other standards that increase payment data security. Founded in 2006 by the major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., the Council has more than 650 participating organizations representing merchants, banks, processors and vendors worldwide.