PCI DSS 20 vs PCI DSS 30: What are the Differences for IT Security?
You might have heard that the Payment Card Industry Data Security Standard (PCI DSS) has gotten a minor makeover for the New Year. Well, not the New Year, exactly. The new standard—version 3.0 to be exact—was released in November, but close enough.
That’s just great, you’re probably thinking. All the work you’ve done to lock down your data security and password procedures to comply with PCI and now you have a whole new set of standards to worry about?
First of all, take a deep breath. I totally understand that, if you’re an MSP, you want to keep your retail clients (and their customers) safe from incursions into their cardholder data environment. Just as importantly, you want to protect them from the consequences of a negative audit. (Just to review, those consequences can include losing the right to accept credit cards or debit cards, which can be devastating to any retailer these days.) But if that’s what you’re worried about, I have good news! If you were compliant with PCI DSS 2.0, then you’re probably already compliant with PCI DSS 3.0
If you’re not compliant with either, that’s another story entirely. If your clients are in retail, you can’t afford PCI non-compliance. In fact, if you have clients that accept credit cards—like hotels, restaurants, and stores of almost every variety—you cannot afford to be non-compliant. I wrote about this in my latest eBook and I recommend you check it out. (You can download it at the bottom of this article.)
So, getting back to PCI DSS version 3.0; if the new standard is so similar to the old standard, why did PCI bother making the changes at all? As I understand it, it’s just a matter of emphasizing the importance of these requirements. Credit and debit cards are the go-to payment method for virtually everyone these days. There is so much cardholder information being handled by so many organizations that breaches like what happened with Target last month are going to become more and more common unless something is done. The Payment Card Industry (PCI) recognized that without rock-solid standards for protecting cardholder information, consumer confidence is going to erode. That erosion, left unchecked, was going to hurt the payment card brands as well as the millions of retailers and other businesses that rely on them.
Just Get to the Changes Already!
Ok, I’m not going to detail every single change between PCI DSS version 2.0 and PCI DSS version 3.0. The PCI Security Standards Council issued a summary of the changes back in November, and that offers a detailed rundown. You'll notice that the document gets pretty technical. On page 3 they list the specific changes, and they also list what "type of change" it is in the third column. The majority of the changes are listed as being "clarifications".
To me, that means PCI is pretty satisfied with most of its current standards and issued this new version mostly to reemphasize and further explain it's existing regulations. In an August “Change Highlights” document, PCI seems to say as much:
“Lack of education and awareness around payment security and poor implementation and maintenance of the PCI Standards leads to many of the security breaches happening today. The updates address these challenges by building in additional guidance and clarification on the intent of the requirements and ways to meet them. Additionally, the changes in PCI DSS and PA-DSS 3.0 focus on some of the most frequently seen threats and risks that precipitate incidents of cardholder-data compromise.”