With its latest proposal, the Payment Card Industry Security Standards Council aims to make card data security more straightforward for merchants and organizations accepting payments.
Today, the PCI council is publishing the PCI Data Security Standard and Payment Application Data Security Standard version 3.0 Change Highlights. The council's proposed changes to the PCI standards focus on the basics of data security, from creating stronger passwords to understanding the challenges of allowing a third party to handle security projects.
"For good security, you have to do the basic stuff first," says Bob Russo, general manager of the PCI Security Standards Council. "In 90% of the breaches we see, the cause is failure to do the basic things like creating strong passwords and monitoring data."
The council maintains the card industry's rules for protecting payment card data.
The seven-page document addresses education and awareness, flexibility in processes, and creating a mindset where security becomes a shared responsibility within a business, Russo says.
The new document is the result of feedback and conditions within the payments market, Russo says. The potential changes will be discussed at upcoming PCI community meetings and the document will undergo any needed tweaks prior to its official publishing in November, Russo adds.
Data security education and awareness throughout an organization is becoming vital, says
Troy Leach, the council's chief technology officer.
"In the past, merchants may have had only their IT risk team involved in security," Leach says. "But document and process retention is needed at all levels so that everyone understands why IT folks are asking certain questions."
The PCI council wants to create a "culture for protecting cardholder data, rather than have it be something you dust off once a year," Leach says.
The proposed changes to the data security standards should serve as a "launching pad" for more discussions about security within every department at a business, Leach adds.
Russo says the PCI's participating organizations will see that basic elements of security continue to evolve as part of the data-protection process. "We said forever that you needed a seven-character password for log-ins, but now people are using favorite or common phrases," Russo says. "They now see that one or the other, or both, are good security measures."
Mostly, the council wants to fight the complacency that can set in after a merchant has completed the risk assessment test for the year, Russo says.
The change highlights document with tables outlining anticipated updates is available on the PCI SSC website.
The council plans a series of webinars for the PCI organizations and the general public to review the proposed changes.