This month the PCI Security Standards Council published the highlights of the new data security standards (DSS) that will come into effect in November 2013. The 3.0 Change Highlights provides a preview of the new standards which are meant to be more flexible and presents security as a responsibility shared through education and awareness.
The Council has tried to provide as much transparency about the new developments and process for PCI DSS. The key drivers for the 3.0 updates are the lack of education and awareness, weak passwords and authentication challenges, third party security challenges, slow self-detection of malware and other cybersecurity threats and an inconsistency in PCI DSS assessments.
The new 3.0 version will introduce several new sub-requirements among the 12 standards, including building in security policies and operational procedures into each of the 12 requirements. There will also be new point-of-sale requirements and stronger requirements for penetration testing and other enhanced testing procedures required for validating compliance with the standards. Version 3.0 will also include a requirement to do threat modelling in relation to software development.
The standard updates are still being reviewed and subject to further comment with the final versions being published in November 2013.