The PCI Security Standards Council Thursday released updated requirements for organizations that handle data on holders of credit cards and thus must comply with the council’s data security standard, known as PCI DSS.
The changes, first introduced in draft form in August, were then discussed during public PCI community meetings, before becoming formalized in PCI DSS version 3, which details information security policies and procedures for businesses that collect or process cardholder data. Also Thursday, the council released the Payment Application Data Security Standard (PA-DSS) version 3, which covers vendors of payment industry software.
Both standards will take effect January 1, although businesses will have until the end of 2014 to comply. “The older version, 2.0 will be ‘sunsetted’ for one year, so … you have some time to see what the changes are,” said Bob Russo, general manager of the PCI Council, speaking by phone. “But please don’t wait until the end of next year.”
What’s new? “The 3.0 version of this standard is probably more of a natural evolution than a revolution,” said Rodolphe Simonetti, managing director of Verizon’s Payment Card Industry Services, in a phone interview.