Visa Europe revealed important stats about the usage of Contactless Cards. Poland, Spain and the UK use this payment methd the most, with UK usage growing by 300% year over year.
The PCI Council has been officially planning the launch PCI DSS version 3.1 since mid-February and two months later, it is finally ready for use.
PCI SSC general manager Stephen W. Orfei recently said:
"We are focused on providing the strongest standards and resources to help merchants and their business partners protect against the latest threats to payment data. The PCI Standards development process allows us to do this based on industry and market input,"
and he also explained the goal of the revised standard
"With PCI DSS 3.1 and supporting guidance we are arming organizations with a pragmatic, risk-based approach to addressing the vulnerabilities within the SSL protocol that can put payment data at risk."
The main reason for this new release was the discovery of flaws in the SSL (Secure Sockets Layer, version 1, 2 and 3) and early versions of TLS (Transport Layer Security), which are used as strong cryptographic solutions to ensure the privacy and reliability of data transmitted over online channels, but revealed to provide a weak encryption.
We have discussed the reasons behind the release of the Data Security Standard into a new version in two previous blog posts:
"The Lifecycle for Changes to PCI DSS ensures a gradual, phased introduction of new versions of the standard in order to prevent organizations from becoming non-compliant when changes are published."
"During the lifecycle, the Council will continuously evaluate evolving technology and threats, and if necessary, make mid-lifecycle changes to the standards or provide ongoing supplemental guidance about these issues."
Looking at the official communication from the Council, we can understand more about several important steps that both security experts and organizations should be aware of:
A bit of terminology before getting started: PCI DSS 3.1 contains 4 evolving requirements, 4 areas of additional guidance and 30 clarifications.
The 4 Evolving Requirements
Impacted requirements: 2.2.3, 2.3, 4.1, 4.1.1.
Content: All versions of SSL from this release are considered as examples of weak encryption.
The 4 Additional Guidance
Impacted requirements: 4.2, 11.2, 12.9, Appendix C.
Content: Clarified some aspects about end-user messaging (SMS), vulnerability scanning with automated and/or manual tool, involving service providers in specific requirements, use "sudo" rather than "su" command as compensating control.
Impacted requirements: 3, 4, 6, 8, 9, 10, 11, 12.
Furthermore, there are some other minor changes to report:
Advantio are PCI Compliance experts and can aid your company in achieving compliance.
As a trusted advisor, our QSAs (Quality Security Assessors) can support an organisation in understanding the requirements, verify eligibility and can help with the completion of any SAQ. We can guide your company on the path to compliance, supporting you every step of the way.
Understand the impact of the new version 3.1 on your business, achieve and maintain PCI DSS Compliance continually, keep your business safe and healthy by making sure that you retain your customer’s trust.
Marketing Director at Advantio. The articles published in the Advantio Blog have the goal of supporting our mission: making IT Security simple for everyone.
My intention is to discuss IT Security related topics with the eyes of a non technical person, speaking a simple language and trying to show to the readers the benefit of IT Security best practices.