WAKEFIELD, Mass | The PCI Security Standards Council (PCI SSC), a global forum for the development of payment card security standards, published version 3.0 of the PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) last week.
Effective on 1 January 2014
Available now on the PCI SSC website, version 3.0 becomes effective on 01 January 2014. Version 2.0 will remain active until 31 December 2014 to ensure adequate time for organisations to make the transition. Version 3.0 will help organizations make payment security part of their business-as-usual activities by introducing more flexibility, and an increased focus on education, awareness and security as a shared responsibility.
'Good Business Practice'
“The core principles at work when we first published PCI DSS are still relevant today. Version 3.0 builds on these to address the feedback we’ve heard from our community and to help organizations make payment security good business practice – every day, all year round.”
Responding to market needs
Changes are made to the standards every three years, based on feedback from the Council’s global constituents per the PCI DSS and PA-DSS development lifecycle and in response to market needs. Proposed changes for version 3.0 were shared publicly in August, and Participating Organizations and assessors had the opportunity to discuss the draft standards at the 2013 Community Meetings prior to final publication.
PCI DSS 3.0 | Part of everyday business processes
Overall updates include specific recommendations for making PCI DSS part of everyday business processes and best practices for maintaining ongoing PCI DSS compliance; guidance from the Navigating PCI DSS Guide built in to the standard; and enhanced testing procedures to clarify the level of validation expected for each requirement. Organisations can access the standards and detailed summary of changes from version 2.0 to version 3.0 at the PCI SSC website.
Supporting Documentation Released Early 2014
Supporting documentation including updated Self-Assessment Questionnaires (SAQ), Attestations of Compliance (AOC) and Reporting Templates will be available in early 2014 once version 3.0 is effective.
PCI Security Standards Council (PCI SSC)
“Over the course of several years now, the PCI Security Standards Council has done a laudable job at defining and evolving a cohesive set of standards, as well as at listening and adapting over time to the feedback from merchants, banks, payment processors, service providers, and technology providers,” said Derek Brink, vice president and research fellow, Aberdeen Group. “The stakeholders in the payment card community seem to be working to put security and compliance in the right relationship – i.e., that compliance does not drive security; compliance is the result of foundational security practices.”
'Strong Framework for Payment Card Industry'
“PCI Standards continue to provide a strong framework for payment card security,” said Bob Russo, general manager, PCI SSC. “The core principles at work when we first published PCI DSS are still relevant today. Version 3.0 builds on these to address the feedback we’ve heard from our community and to help organizations make payment security good business practice – every day, all year round.”
About the PCI Security Standards Council
The PCI Security Standards Council is an open global forum that is responsible for the development, management, education, and awareness of the PCI Data Security Standard (PCI DSS) and other standards that increase payment data security. Founded in 2006 by the major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., the Council has more than 650 Participating Organizations representing merchants, banks, processors and vendors worldwide. To learn more about playing a part in securing payment card data globally, please visit: pcisecuritystandards.org. Connect with the PCI Council on LinkedIn.
PCI Security Standards Council, Laura K. Johnson or Ella Nevill, +1-781-876-6250, email@example.com, Twitter @PCISSC