PCI 3.0

Although it seems as if the Payment Card Industry Data Security Standard (PCI DSS) was launched yesterday, the standards organization was in fact created in 2006 to consolidate and better promulgate the major credit card organizations’ then overlapping data security requirements. The PCI Council updated its original requirements in 2010 (with Version 2.0) and now, in November 2013, the Council will release version 3.0.

The PCI standards sometimes have been controversial – some (too many) in the industry have viewed the requirements as simply a compliance checklist to be certified on an annual basis, and the headlines have been filled with examples of breached merchants who were “just recently” certified to be PCI compliant. As the years went by, it became all too apparent that there were significant inconsistencies in the way PCI assessments were executed, and in the security hygiene PCI certified organizations maintained in between yearly assessments.

Last month’s PCI 3.0 Highlights preview document suggests that modifications planned for Version 3.0 could be very helpful. The document states that:

Changes planned for Version 3.0 are designed to help organizations take a proactive approach to protect cardholder data that focuses on security, not compliance, and makes PCI DSS a business-as-usual practice.

That’s exactly the right goal, and some of the emphases appear to be particularly significant for Shared Assessments members. PCI 3.0, for example, will have the increased emphasis on security as a shared responsibility that’s appropriate in today’s more complex payments environment. Changes to the requirements will mandate that companies maintain records about which PCI DSS requirements are maintained by the contracting entities and which are managed by service providers. The new standards will require that service providers acknowledge their responsibility to maintain applicable PCI DSS requirements.

In the financial services sector, in particular relationships between financial institutions and their business partners have come under increased regulatory scrutiny. Earlier this week Comptroller Thomas Curry gave notice that the Office of the Comptroller of the Currency (OCC) will issue enhanced supervisory standards for large national banks. He said “As part of this ‘heightened expectations’ program, we are insisting that internal controls and audit be raised to the standard of ‘strong’ and we are making it clear that satisfactory ratings are not acceptable.” That’s a big deal of course, and we might reasonably hope that FIs of all sizes will step up to the plate as they educate and help supervise the PCI 3.0 compliance of their merchant partners moving forward.

For more than 35 years, Santa Fe Group Senior Consultant, Gary Roboff, contributed his outstanding talents to the financial services industry, and in particular to financial services payments systems. Gary has focused on such issues as privacy and information utilization, business frameworks, changes in the payments and settlement systems, and standards for emerging e-commerce applications. He has chaired the Electronic Funds Transfer Association (EFTA) Board of Directors and was a founder of the International Security Trust and Privacy Alliance (ISTPA), serving as Vice Chair of its Board.