3. Application security is also an area where the council is putting more emphasis in the PCI guidelines. Russo says he's been dismayed that so many software developers not only haven't heard of PCI standards but don't even know about application vulnerabilities spelled out by the Open Web Application Security Project or SANS Institute. But these application flaws are being exploited by attackers to steal payment-card data, he notes. In PCI 3.0, organizations will need to demonstrate that they tested applications for payment cards to withstand well-known security flaws and used industry secure-coding practices. This means verifying the integrity of the source code during the development process, too. Under the PCI rules, vendors with remote access to customer premises for support and maintenance, for example, must use unique authentication credentials for each customer.
4. Remote access and authentication overall also sees a few changes and clarifications versus the older PCI 2.0 version of the standard. Service providers have to use unique authentication credentials for each customer if they don't do so already. And physical and logical security tokens, smart cards, and certificates must also be linked to an individual account and ensure only the intended user can gain access. This could bring about changes for how some networks use administrative access based on SSH encryption, for example.
5. Antivirus protection has long been a requirement under the PCI rules, but in PCI 3.0, the council adds some nuances about fighting malware. Questions have come up when QSAs go into data centers where there's a mainframe that doesn't have antivirus software, for example, and the question is whether the system could be affected by malware, CTO Leach says. Practical questions about risk management in these cases not only means turning to approaches that are not traditional antivirus but that use "compensating controls" and simply continue to "evaluate evolving malware threats for any systems not considered to be commonly affected."
Russo says that PCI 3.0 takes effect Jan. 1, 2014, but merchants and service providers "still have a year in which to sunset the old version" of the standard. The council, started in 2006 by the card associations such as Visa and MasterCard, has more than 650 participating organizations, including merchants, banks, processors, and vendors. The council says it got two years of input for PCI 3.0 from about 1,700 attendees at its community meetings around the world.
One engineer's concerns over what PCI 3.0 doesn't do
Some security experts say it's what they don't see in the new PCI 3.0 standard that jumps out at them.
Greg Rosenberg, a security engineer at Trustwave, expressed disappointment that PCI 3.0 contains no specific guidance on mobile-payment applications, an area of huge interest to banks and merchants. "The architecture for mobile devices is different," says Rosenberg, noting that smartphones and tablets that can be used for card payment processing introduce a new range of products -- and new threats aimed at exploiting them. "How do I extend vulnerability scans against mobile?"