Version 3.0 of PCI DSS (Payment Card Industry Data Security Standard) was released in November 2013 and now that version 2.0 became inactive at the end of last year all organizations should have made the transition to version 3.0.

The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).

Recently I had another look at version 3.0 and have a few observations:

Overall Version 3.0 is an improvement on previous versions because it includes more security intent rather than just prescriptive rules, which encourages a more holistic view. This is important because the intent of merchants should be to improve the security around customers’ data (and their own), not simply to achieve PCI compliance. Compliance does not necessarily mean data security, but a focus on security in terms of risk, confidentiality, integrity and availability is likely to cover a lot of compliance. A security-led approach is better than a “check list” compliance approach. This applies not only to the payment card industry but to all sectors including government, health, education, etc.

With regards to encryption I see some improvement too. In Section 3.4.1 it says:

3.4.1 If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials). Decryption keys must not be associated with user accounts.

In the past, merchants may have thought they could use a product that performed disk encryption but was configured to automatically unlock the drive and boot directly to the OS login screen. I think section 3.4.1 makes it clear that one cannot skip pre-boot authentication or any authentication until the machine had been automatically unlocked, and then rely solely on the operating system for authentication. With previous versions of the standard the merchant who had encryption could achieve compliance, but if that encryption relied on the operating system for authentication, it was not really secure because encryption without proper authentication does not guarantee confidentiality.

PCI DSS version 3.0 is a step forward and I hope future versions will continue to migrate towards an emphasis on principles and intent to achieve true security not just compliance.