PCI 3.0 Is Coming – Are You Ready?

Every 3 years the Payment Card Industry Data Security Standard (PCI) is updated to a new version. The time for the next release is right around the corner.

Version 2.0 will be replaced by PCI 3.0 in just a few weeks, and the question you need to ask yourself is:

Are you prepared for PCI 3.0?

Starting on January 1, 2014, you will be able to apply the new standard to your business and comply with all that it contains, but if there are elements in the new version of PCI 3.0 that you cannot meet, all hope is not lost. You can continue to validate your compliance to version 2.0 of the PCI Standard for all of 2014 if you so choose.

In other words, next year you can pick to comply with either PCI 2.0 or PCI 3.0.

When the standard is released it is understood that you might have to change your operations in order to meet the new version, so you are given a year to make those adjustments.

But wait, there’s more!

There is more good news if you want to look at the new standard.

From the perspective of the merchant, the new standard (at least the draft version we were able to preview before the official release) does not look significantly different from the previous one. More information is required from the network diagram, and the penetration testing requirement has more guidance, but there are few substantive changes.

On the other hand, service providers (those who can affect the security of a merchant like a POS provider or a web hosting provider) will need to provide more information to the merchants who are working on PCI compliance under PCI 3.0.

The standard expects more due diligence focused on how a service provider affects the security of the merchant who is taking credit cards. This is probably the greatest difference between 2.0 and PCI 3.0, and it will be interesting to see how this plays out in the future.

It is important to remember the PCI is the minimum security that a merchant should put into place so that their customers’ credit cards are protected. Security should be viewed as any other company policy – you always need to run your business in a certain manner, not just during your validation efforts.

If you integrate security into your regular business practices first, then you will find that PCI will naturally follow.