It's been three years in the making. The third iteration of the Payment Card Industry Data Security Standard, arguably enterprise information security's most important and successful mandate, updates the rules merchants must follow to protect customer payment card data.
PCI DSS 3.0 raises the bar for vulnerability assessments, password management and provider compliance. Which changes will have the greatest effect on the PCI compliance process? Does PCI 3.0 go too far, or not far enough? How should enterprises prepare for PCI 3.0 assessments in 2015? We tackle those questions and more in this exclusive SearchSecurity special report.
1News & Analysis-
PCI Data Security Standard 3.0
PCI 3.0 is here. Read our news coverage detailing the changes and get expert analysis on what they mean for payment card compliance.
Version 3.0 of the Payment Card Industry Data Security Standard has few surprises, but a host of new requirements and challenges for merchants. Continue Reading
PCI DSS version 3.0 isn't a wholesale revision, but longtime PCI expert Ed Moyle says merchants' transitions must start now to avoid problems later. Continue Reading
As the industry preps for PCI DSS 3.0, compliance expert Mike Chapple reviews PCI's successes and failures. Has it made card data more secure? Continue Reading
The proposed PCI DSS 3.0 standard would emphasize in-house vulnerability assessments, add password flexibility and highlight provider compliance. Continue Reading
PCI Community Meeting attendees this week discussed POS security and EMV issues; officials say feedback will influence more changes in the final PCI DSS 3.0. Continue Reading
PCI DSS 3.0 is the third major iteration of the Payment Card Industry Data Security Standard, a set of policies and procedures administered by the Payment Card Industry Security Standards Council (PCI SSC) to ensure the security of electronic payment data and sensitive authentication data. Continue Reading
PCI SSC leaders answer questions on PCI 3.0
Listen to an exclusive interview with the top executives of the PCI Security Standards Council.
PCI SSC General Manager Bob Russo and CTO Troy Leach discuss the final version of PCI DSS 3.0, explain why certain changes were made, and foreshadow what's next for the Security Standards Council. Continue Reading
PCI DSS: A history in pictures
SearchSecurity is pleased to present an original visual timeline detailing the history of the PCI DSS, listing dates, events and people that have been crucial in the creation and evolution of the payment card industry compliance mandate.
Bonus content: Events in PCI DSS history
As a supplement to our "Visual timeline: The history of PCI DSS," review these historical articles detailing notable events that shaped the creation and development of the Payment Card Industry Data Security Standard.
Compliance with Visa's 2001 mandate may be hard because of a lack of uniformity between Visa's North American and International divisions' guidelines. Continue Reading
PCI is winning praise from security experts for providing specific requirements on encrypting data, implementing access controls and configuring firewalls. Continue Reading
Version 1.1 clarifies existing requirements, as well as adds some requirements, but contrary to speculation over the past few months, it does not relax or water down security requirements for merchants and vendors. Continue Reading
The new Payment Application Data Security Standard, or PA-DSS, is based on Visa's Payment Application Best Practices, or PABP. Continue Reading
TJX agreed to implement tighter security and allow its data to be audited to settle charges that its poor security led to the massive data security breach. Continue Reading
The program will involve staff members who will be dedicated to quality assurance, and will evaluate feedback from merchants on assessors. Continue Reading
A federal judge sentenced Albert Gonzalez to 20 years in prison for his involvement in a series of massive data security breaches at Heartland Payment Systems and other companies. Continue Reading
Minor changes will be the rule for the 2.0 iteration of PCI DSS, including clarifications on secure coding and key management and a change that recommends merchants use data discovery tools to find cardholder data before a PCI assessment. Continue Reading
According to a new report by the PCI SSC, organizations need to create a risk assessment methodology that works for their specific business environment. Continue Reading
5Ask the Experts-
Your questions answered
SearchSecurity experts Mike Chapple (enterprise compliance, standards and frameworks) and Joseph Granneman (security management) are standing by to answer your questions about PCI DSS compliance.