The Payment Card Industry Security Standards Council (PCI SSC) has announced that the data security standard (PCI DSS) Version 3.0 is expected to be released in November. In a press release, PCI SSC Chief Technology Officer, Troy Leach, said that PCI DSS 3.0 will "provide organizations with the framework for assessing the risk involved with their technologies and platforms." He also noted that the changes will also provide the flexibility to apply these principles to their unique payment and business environments.
The new guidelines, which encourage organizations to focus on security rather than compliance, were created to:
- Clarify PCI DSS requirements;
- Build greater understanding on the intent of the requirements and how to apply them;
- Improve flexibility for all entities implementing, assessing, and building to the Standards;
- Drive more consistency among assessors;
- Align with changes in industry best practices;
- Clarify scoping and reporting; and
- Eliminate redundant sub-requirements and consolidate documentation.
Some of the more significant changes are still under review before the final version is released. All entities that process, store or transmit cardholder data are expected to comply with Version 3.0 by December, 2014. We expect to see sub-section requirements recommended as a best practice until July, 2014.
This post was written by Brenda Brigman, Executive Vice President of CBIZ Security & Advisory Services, LLC. Brenda is responsible for performing Payment Card Industry Data Security Standard compliance assessments (PCI-DSS), IT SOX testing, HIPAA, ISO, network security reviews and IT risk assessments including assessing and testing the level of IT security over infrastructure components and application integrated controls.
for more information regarding CBIZ Security & Advisory Services, LLC and contact Karen Cassella (firstname.lastname@example.org
), Executive Vice President, CBIZ SAS at (901) 685-5575 or email the CBIZ SAS team at email@example.com