To enhance security standards to protect customer payment data in the context of increasing e-commerce, the Payment Card Industry (PCI) Security Standards Council has announced it has released version 3.0 Payment Application Data Security Standards (PA-DSS) and version 3.0 of the PCI Data Security Standard (PCI-SS), which will become effective from 1 January 2014. The package of standards set key requirements for the storage and processing of customer payment card data to prevent cardholder data security breaches.

Details of the changes from version PCI-SS 2.0 to 3.0 can be read here. In summary, the new key requirements are:

  • Evaluate evolving malware threats for any systems not considered to be commonly effected
  • Combine minimum password complexity and strength requirements into one, an increased flexibility for alternatives
  • For service providers with remote access to customer premises, use unique authentication credentials for each customer
  • Where other authentication mechanisms are used (e.g., physical security tokens, smart cards or certificates), these must be linked to an individual account and ensure only the intended user can gain access
  • Control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately on termination
  • Protect devices that capture payment card data via direct physical interaction with the card, from tampering and substitution
  • Implement a methodology for penetration testing and including any segmentation methods used to isolate cardholder data
  • Implement a process to respond to any alerts generated by the change detection mechanism
  • Maintain information about which PCI DSS requirements are managed by each service provider
  • For service providers, provide written agreement to their customers

Full details of the updates to the PA-DSS can be read here. A summary of the new requirements include:

  • Payment application developers must verify the integrity of source code during the development process
  • Payment applications must be developed according to industry best practices for secure coding techniques
  • Payment application vendors must incorporate risk assessment techniques into their software development process
  • Application vendors must provide release notes for all application updates
  • Vendors with remote access to customer premises for maintenance must use unique authentication credentials for each customer
  • Organisations must provide information security and PA-DSS training to vendor personnel with PA-DSS responsibility annually

The Payment Card Industry (PCI) Security Standards Council commented the package of standards “will help organisations make payment security part of their business-as-usual activities by introducing more flexibility, and an increased focus on education, awareness and security as a shared responsibility.”

Organisations should be reminded that failure to adhere to the PCI standards could result in enforcement by the ICO. In August 2011, the ICO made an example of retailer LUSH following a security lapse which resulted in hackers being able to access the payment details of 5,0000 customers of the company’s website, with 95 customers victims of card fraud. As a consequence, the ICO demanded LUSH sign an undertaking to ensure future customer credit card data must be processed in accordance with the PCI-SS.