Essential Guide
PCI 3.0 special report: Reviewing the state of payment card compliance
Learn about the critical changes in PCI DSS 3.0, the history of the PCI Data Security Standard, and what the future may hold for payment card industry compliance.
Introduction
It's been three years in the making. The third iteration of the Payment Card Industry Data Security Standard, arguably enterprise information security's most important and successful mandate, updates the rules merchants must follow to protect customer payment card data.
PCI DSS 3.0 raises the bar for vulnerability assessments, password management and provider compliance. Which changes will have the greatest effect on the PCI compliance process? Does PCI 3.0 go too far, or not far enough? How should enterprises prepare for PCI 3.0 assessments in 2015? We tackle those questions and more in this exclusive SearchSecurity special report.
1News & Analysis-
PCI Data Security Standard 3.0
PCI 3.0 is here. Read our news coverage detailing the changes and get expert analysis on what they mean for payment card compliance.
PCI 3.0: New requirements cover pen testing, service providers
Version 3.0 of the Payment Card Industry Data Security Standard has few surprises, but a host of new requirements and challenges for merchants. Continue Reading
PCI DSS version 3.0 analysis: The five most important changes
PCI DSS version 3.0 isn't a wholesale revision, but longtime PCI expert Ed Moyle says merchants' transitions must start now to avoid problems later. Continue Reading
PCI QSA analysis: PCI DSS 3.0 is a step forward
A veteran Qualified Security Assessor believes PCI DSS 3.0 will help both QSAs and enterprises, but says further clarifications are needed to avoid PCI assessment disputes. Continue Reading
PCI DSS review: Assessing the PCI standard nine years later
As the industry preps for PCI DSS 3.0, compliance expert Mike Chapple reviews PCI's successes and failures. Has it made card data more secure? Continue Reading
Early look at PCI 3.0 emphasizes vulnerability assessments, passwords and payment data flow
The proposed PCI DSS 3.0 standard would emphasize in-house vulnerability assessments, add password flexibility and highlight provider compliance. Continue Reading
2013 PCI Community Meeting highlights: Point-of-sale security, PCI 3.0, and more
PCI Community Meeting attendees this week discussed POS security and EMV issues; officials say feedback will influence more changes in the final PCI DSS 3.0. Continue Reading
PCI DSS 3.0
PCI DSS 3.0 is the third major iteration of the Payment Card Industry Data Security Standard, a set of policies and procedures administered by the Payment Card Industry Security Standards Council (PCI SSC) to ensure the security of electronic payment data and sensitive authentication data. Continue Reading
2Podcast-
PCI SSC leaders answer questions on PCI 3.0
Listen to an exclusive interview with the top executives of the PCI Security Standards Council.
Podcast: The SSC's Russo and Leach discuss the final version of PCI 3.0
PCI SSC General Manager Bob Russo and CTO Troy Leach discuss the final version of PCI DSS 3.0, explain why certain changes were made, and foreshadow what's next for the Security Standards Council. Continue Reading
3Timeline-
PCI DSS: A history in pictures
SearchSecurity is pleased to present an original visual timeline detailing the history of the PCI DSS, listing dates, events and people that have been crucial in the creation and evolution of the payment card industry compliance mandate.
Visual timeline: The history of PCI DSS
The origins of the PCI Data Security Standard date to the late 1990s. Explore key events in the history of PCI DSS, from Y2K to PCI DSS 3.0. Continue Reading
4Archives-
Bonus content: Events in PCI DSS history
As a supplement to our "Visual timeline: The history of PCI DSS," review these historical articles detailing notable events that shaped the creation and development of the Payment Card Industry Data Security Standard.
Lack of guideline uniformity puts Visa merchants in quandary
Compliance with Visa's 2001 mandate may be hard because of a lack of uniformity between Visa's North American and International divisions' guidelines. Continue Reading
Swiping back: Praise for PCI Data Security Standard
PCI is winning praise from security experts for providing specific requirements on encrypting data, implementing access controls and configuring firewalls. Continue Reading
New PCI Council details changes to Data Security Standard
Version 1.1 clarifies existing requirements, as well as adds some requirements, but contrary to speculation over the past few months, it does not relax or water down security requirements for merchants and vendors. Continue Reading
TJX breach worse than originally feared
Customers who used their cards at the company's stores between January 2003 and June 2004 were discovered to be at risk. Continue Reading
PCI DSS assessors see lessons in TJX data breach
According to several PCI auditors, companies should study the TJX security breach for clear lessons on what not to do with customer data. Continue Reading
First Data CISO calls for PCI DSS changes
Phil Mellinger, who developed the precursor to the current PCI DSS rules, is calling for an overhaul to eliminate subjectivity. Continue Reading
PCI DSS: The bar should not be lowered
PCI SSC general manager Bob Russo says the baseline principle of protecting customer data will not be advanced by a loosening of PCI DSS requirements. Continue Reading
PCI Council adds new standard for payment applications
The new Payment Application Data Security Standard, or PA-DSS, is based on Visa's Payment Application Best Practices, or PABP. Continue Reading
In FTC settlement, TJX agrees to 20 years of audits
TJX agreed to implement tighter security and allow its data to be audited to settle charges that its poor security led to the massive data security breach. Continue Reading
PCI SSC launches assessor quality assurance program
The program will involve staff members who will be dedicated to quality assurance, and will evaluate feedback from merchants on assessors. Continue Reading
Expert predicts PCI DSS problems for retailers
An expert says it could cost millions of dollars for retailers to rip and replace outdated systems and devices still using Wired Equivalent Privacy, or WEP, to secure 802.11 Wi-Fi networks. Continue Reading
Heartland breach highlights PCI DSS limitations
Eric Ogren says the standard is often overkill for enterprises and the prescriptive nature of PCI inhibits innovation in such areas as virtualization and cloud computing. Continue Reading
TJX, Heartland hacker sentenced to 20 years in prison
A federal judge sentenced Albert Gonzalez to 20 years in prison for his involvement in a series of massive data security breaches at Heartland Payment Systems and other companies. Continue Reading
PCI DSS 2.0 addresses secure coding, key management
Minor changes will be the rule for the 2.0 iteration of PCI DSS, including clarifications on secure coding and key management and a change that recommends merchants use data discovery tools to find cardholder data before a PCI assessment. Continue Reading
PCI DSS risk assessment methodology unique to each company
According to a new report by the PCI SSC, organizations need to create a risk assessment methodology that works for their specific business environment. Continue Reading
5Ask the Experts-
Your questions answered
SearchSecurity experts Mike Chapple (enterprise compliance, standards and frameworks) and Joseph Granneman (security management) are standing by to answer your questions about PCI DSS compliance.
-
Mike Chapple, Enterprise Compliance
SearchSecurity -
Start the conversation
0 comments