Skip Links

5 things you need to know about new Payment Card Industry (PCI 3.0) standard

PCI 3.30 places new security demands on merchants, card processors

Network World - There's a new version of the Payment Card Industry standard for network security -- PCI 3.0 – out today from the group overseeing its publication, the PCI Security Standards Council. 

If your organization accepts or processes payment cards, here's what's new that you need to know:

bob russo
Demonstrate evidence that the environment scoped as PCI is truly inaccessible to the rest of the network.

- Implement a method for penetration testing of the network segments used for storing or processing payment cards. This network area is called “PCI scope” in the jargon of PCI standards and compliance testing. According to council general manager Bob Russo, the idea is you have to “demonstrate evidence that the environment scoped as PCI is truly inaccessible to the rest of the network.” He says this is a new requirement because there hasn’t been enough testing of the internal network. 

But the council doesn’t plan to have a list of approved penetration-testing products or services for this because it’s assumed that the organization can do this on its own. “This is something new and will require additional work from service providers and merchants,” says Rodolphe Simonetti, managing director of Verizon’s Card Industry Services, about the new PCI requirement. He says the aim of the PCI penetration testing is to “validate scope,” and basically that could be done through White Hat hacking methods to see if it’s possible to break in to a defined PCI network segment. Simonetti also notes that using point-to-point encryption is one way to define network “scope” and Verizon believes P2P encryption will play a larger role in the future, especially in mobile-payments processing.

Troy Leach
Troy Leach, CTO at the council

- Physical security considerations related to payment-card data get more attention in PCI 3.0. Troy Leach, CTO at the council, says one new requirement involves “common-sense testing and looking for physical tampering of systems in the retail environment and face-to-face transactions.” This especially pertains to physical point-of-sale systems, where recommendations are expected to be carried out to prevent card data being skimmed off by crooks. This might include things as simple as regularly looking at the point-of-sale device to see if it or connected wires have been tampered with. This goes for smaller as well as larger merchants, Troy points out. He adds that Qualified Security Assessors (QSA) that conduct formal assessments for purposes of PCI compliance can be expected to be asking in the future about what programs are in place to educate personnel about card skimming and fraud.

- Application security is also an area where the council is putting more emphasis in the PCI guidelines. Russo says he’s been dismayed that so many software developers not only haven’t heard of PCI standards but don’t even know about application vulnerabilities spelled out by the Open Web Application Security Project or SANS Institute. But these application flaws are being exploited by attackers to steal payment-card data, he notes. In PCI 3.0, organizations will need to demonstrate that they tested applications for payment cards to withstand well-known security flaws and used industry secure-coding practices. This means verifying the integrity of the source code during the development process, too. Under the PCI rules, vendors with remote access to customer premises for support and maintenance, for example, must use unique authentication credentials for each customer.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News