NACS, PCATS Respond to PCI DSS and PA-DSS Changes

Version 3.0 focuses on flexibility, education and awareness, and security as a shared responsibility.

August 19, 2013

WAKEFIELD, Mass. – The PCI Security Standards Council (PCI SSC), published PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) 3.0 Change Highlights as a preview of the new version of the standards coming in November 2013.

The changes are an attempt to help companies make PCI DSS part of their business-as-usual activities by introducing more flexibility, and an increased focus on education, awareness and security as a shared responsibility.

Changes to the standards are made based on feedback from the Council’s global constituents per the PCI DSS and PA-DSS development lifecycle and in response to market needs. Key drivers for version 3.0 updates include: lack of education and awareness; weak passwords and authentication challenges; third party security challenges; slow self-detection in response to malware and other threats; inconsistency in assessments. 

“Today, most organizations have a good understanding of PCI DSS and its importance in securing card data, but implementation and maintenance remains a struggle — especially in light of increasingly complex business and technology environments,” said Bob Russo, PCI SSC general manager.  

There is agreement from within the industry for the need to update the PCI DSS, especially in light of PCI SSC’s concerns around education and a need for data security best practices. 

“The PCI DSS is not a standard per say, but really a mandate from the credit card brands; it’s been a confusing array of one-sided rules from the start and it’s easily understandable why adoption is slow at best, especially by small merchants,” said NACS Vice President of Member Services Michael Davis. “For quite some time, PCATS has worked with the individual card brands and PCI to address the issues related to data security and compliance within the small merchant community.”

PCATS’ definition of a small merchant has always been the individual site operator up to 20 or 30 locations; who does not have the technical expertise or resources to implement the highly technical specifications of PCI. 

Recently, PCATS submitted its Data Security Committee’s “8 Point Risk Mitigation” guide as an example of how PCI and the card brands might focus on key risk reduction measures that are achievable for the small merchant working with their technology vendor(s).  An outcome of this effort has been the agreement of other trade groups, such as National Restaurant Association, Retail Systems Providers Association, etc., that this approach makes sense. As a result, PCATS and NRA are rounding up support for the proposal to form a special interest group (SIG) within PCI to focus on small merchant realities, and advise PCI on how it might make data risk mitigation and compliance more appealing to this huge market segment. 

To that end, 10 Participating Organizations — suppliers and retailers — wrote PCI SSC to express their support of this SIG. Davis added, “In the convenience and fuel retailing industry, more than 106,000 of the 149,220 sites in the United States qualify as small merchants and would all benefit greatly by PCI DSS’ adoption of PCATS’ recommendations.” 

The PCI DSS updates are still under review by the PCI community. Final changes will be determined after the PCI Community Meetings and incorporated into the final versions of the PCI DSS and PA-DSS published in November.

The change highlights document with tables outlining anticipated updates is available on the PCI SSC website.

Advertisement
Advertisement
Advertisement