The PCI Security Standards Council recently unveiled the long-awaited version 3.0 of the Payment Card Industry Data Security Standard (PCI DSS). Retailers, service providers and other organizations involved in credit card processing have until January 2015 to comply with the new standard. There’s a lot to do.
How should an organization get started? The best approach is to prioritize the changes based on the date they become effective for your credit card processing activities.
The good news is that, although PCI DSS 3.0 went into effect on January 1, 2014, merchants have a one-year grace period to adapt to the new standard. In the interim, they may choose to recertify under either the PCI DSS 2.0 or 3.0 standard. In addition, implementation deadlines for a handful of requirements are further delayed until July 1, 2015.
As the first step in preparing to comply with PCI DSS 3.0, thoroughly read the new standard. The PCI DSS 3.0 Summary of Changes prepared by the PCI Security Standards Council can help guide your review. While the summary of changes runs 12 pages, you’ll be relieved to find that the vast majority of those changes are classified as “Clarification” or “Additional Guidance” updates that simply correct ambiguous wording. Review each of these changes, but chances are they will not significantly impact your PCI DSS compliance program.
The significant items to watch out for are those labeled “Evolving Requirement.” In these cases, the PCI SSC has made significant changes to the standard. Think of it as a euphemism for “new work.” Work your way through each of the changes identified in the document and determine what actions, if any, will be required to bring your cardholder data environment into compliance with the new standard.
Once you’ve reviewed the standard and outlined your work plan, start implementing any required changes. The good news is that you have until the end of 2014 to implement these changes, so an early start will give you plenty of time to evolve gradually. Some of what you must cover in this first wave include:
Tailor your organization’s 2014 action plan to meet the specific operational needs of your credit card processing environment.
Once you’ve tackled the first wave of changes, turn your attention to the four requirements that have the deferred implementation deadline of July 1, 2015. These four requirements include:
While any major update to a compliance standard can be a disruptive event for an organization, there’s no need to panic with the release of PCI DSS 3.0. The majority of the changes in this version simply clarify existing requirements.
For those requirements likely to require change, the standard provides plenty of time, with the first deadline at the end of this year and the second even farther out in July 2015. If you start now, you should have enough time to ensure continued compliance.