https://www.fintechfutures.com/wp-content/themes/fintech_child/assets/images/logo/fintech-logo-2.png
  • Home
  • News
  • Intelligence
    • Back
    • Features & Analysis
    • Interviews
    • Reports & Surveys
    • White Papers
    • Case Studies
    • Webinars
    • Podcasts
    • Videos
    • Library
    • Techwire
    • Browse
  • Publications
    • Back
    • Banking Technology Magazine
    • Supplements
    • Daily News at Sibos
    • Subscribe to Magazine
  • Content Hub
    • Back
    • Diversity & Inclusion
    • Food for Thought
    • I’m Just Saying
    • The Heart of the Matter
    • It’s a Matter of Comms
    • State of Play
    • Fintech Agony Uncle
    • COVID-19: Industry Impact & Response
  • Videos
  • WTF? Podcast
  • Awards & Events
    • Back
    • Banking Tech Awards
    • Banking Tech Awards USA
    • PayTech Awards
    • FinTech Futures Edge: PayTech
    • All Events
  • Advertise
  • Jobs
  • More
    • Back
    • About us
    • Contact us
    • Advertising / Media Kit
    • Banking Technology Magazine Calendar
    • Reports Calendar
    • FinTech Futures Newsletter
  • FinTech
  • BankingTech
  • PayTech
  • RegTech
  • WealthTech
  • LendTech
  • InsurTech
  • US Edition
    • Intl. Edition
Banking Technology
  • NEWSLETTER
  • Home
  • News
  • Intelligence
    • Back
    • Features & Analysis
    • Interviews
    • Reports & Surveys
    • White Papers
    • Case Studies
    • Webinars
    • Podcasts
    • Videos
    • Library
    • Techwire
    • Browse
  • Publications
    • Back
    • Banking Technology Magazine
    • Supplements
    • Daily News at Sibos
    • Subscribe to Magazine
  • Content Hub
    • Back
    • Diversity & Inclusion
    • Food for Thought
    • I’m Just Saying
    • The Heart of the Matter
    • It’s a Matter of Comms
    • State of Play
    • Fintech Agony Uncle
    • COVID-19: Industry Impact & Response
  • Videos
  • WTF? Podcast
  • Awards & Events
    • Back
    • Banking Tech Awards
    • Banking Tech Awards USA
    • PayTech Awards
    • FinTech Futures Edge: PayTech
    • All Events
  • Advertise
  • Jobs
  • More
    • Back
    • About us
    • Contact us
    • Advertising / Media Kit
    • Banking Technology Magazine Calendar
    • Reports Calendar
    • FinTech Futures Newsletter
  • Search
  • US Edition
    • Intl. Edition
  • newsletter
  • FinTech
  • BankingTech
  • PayTech
  • RegTech
  • WealthTech
  • LendTech
  • InsurTech
fintechfutures.com


PCI DSS 3.0 comes into effect

  • Written by FinTech Futures
  • 2nd January 2015
Paul Ayers is VP EMEA at Vormetric

Paul Ayers is VP EMEA at Vormetric

Maintaining credit and debit card information on behalf of financial services organisations demands the highest levels of security and customer confidence, and adhering to standards like PCI DSS plays a crucial role in this. Yet, though the standard is unique in that it regulates data protection across a multitude of industries, PCI DSS remains one of the most challenging regulations with which companies must comply. Its Janus-faced qualities – some say it’s too prescriptive, while others complain that the standards are confusingly vague – make achieving and managing compliance difficult and time-consuming, writes Paul Ayers.

Since its inception in 2001, the standard has posed a number of challenges to risk managers, Information Security personnel, and IT operations professionals alike. Not only must companies achieve and maintain com­pliance with the numerous stipulations of PCI DSS, but they must also do so across geographically distributed networks and across both structured and unstructured data sets. Unsurprisingly, protecting such varied assets – which may include databases, file server files, documents, images, voice recordings, access logs and so on – in a dynamic threat environment and in a manner that is compliant can prove challenging. Of course, the increase in use of cloud computing and big data technologies – which players in the financial sector have adopted with enthusiasm – have created additional, but not insurmountable, challenges to achieving compliance with the mandate. It’s worthwhile to note that in the face of such a rapidly changing technology, the use of point solutions to patch holes in data security compliance requirements has become both expensive and difficult to support from a management standpoint.

Now, with 2015 upon us, and the deadline for PCI DSS 3.0 compliance passed, retailers, payment processors and financial institutions are feeling the strain with regards to understanding what steps to take. PCI DSS 3.0 actually took effect in January 2014, but organisations were able to postpone implementing the standard until 1 January 2015. In this time, implicated businesses should have established and implemented the security controls and procedures required to meet the new standard. Reflective of today’s heightened threat environment, where businesses and lawmakers alike must respond to more and more internal and external hazards, it should come as little surprise to many that this version of the standard has some 408 requirements – that’s 27 percent more rules than version 2. Interestingly, revisions to this version have reinforced the criticality of robust encryption and key management.

Section 3.5.2, for example, calls on businesses to store secret and private keys used to encrypt/decrypt cardholder data separately and/or within a secure cryptographic device. Furthermore, the PCI Council also elaborated on the principles of split knowledge and dual control, helping underscore the criticality of implementing controls so that no single administrator has privileged access to both keys and encrypted data.  Here requirement 7 is important to note as sections 7.1 and 7.2 state that only users and resources that must access cardholder data in order to complete their job should have access to systems containing cardholder data. Also, audit trails must be present for access to networks and cardholder data by system components, administrators and users under the caveats of requirement 10, which remain unchanged from version 2 of the mandate.

There are also a couple of key focus points that will directly affect the specific activity of Cloud Service Providers (CSPs). One of these important focus points is the requirement for written agreement (or acknowledgement) by the CSP to their customers of their explicit responsibilities for supporting the standard.  In PCI DSS 2.0 there were already requirements for service providers, but this change will require that they develop specific, contract level documentation of their commitments. Other points of interest include more explicit definitions around the shared responsibility of service providers who provide PCI DSS compliant environments and services to customers and specific enhancements around penetration testing, education and awareness. as well as specific clarifications around use of encryption and cryptographic keys.

Looking ahead to the coming year, there can be little doubt that the financial sector will remain a key target for cyber-criminals – pummeled by both nation state hackers trying to harm enemies’ core financial structure and criminals out to steal money. And, with regulators around the world increasingly involved in enhancing existing data security compliance requirements and defining new data security regulations, the time has come to put protections in place around that data itself.

In the past, organisations only encrypted for protection what they were forced to protect by compliance requirements, or when they were in an industry where secrets were important. However, the new stipulations outlined above show why PCI DSS is no longer a simple ‘check box’ compliance activity – it has evolved considerably past the point where once a year a business made sure they were adhering to its stipulations. In this brave, new world where the tempo of data breach incidents perpetrated by hackers shows no sign of slowing and the risk to data can also come from a trusted insider, any business handling payment data and sensitive, personally identifiable data needs to put encryption, granular access control controls and data access monitoring in place.   This combination reduces the attack surface available by limiting who, what, when, where and how data can be accessed, and then keeps an eye on those with a need-to-know by monitoring their data access patterns for behaviour that may indicate an attack in progress.

Tags: DSS, PCI Analysis, Industry Comment Worldwide

READ NEXT


  • Zopa founder Giles Andrews joins Hoares as non-exec director
  • Bank Islam
    Bank Islam taps Kestrl to offer financial management tools in Be U app
  • James Hickman
    Cornerstone FS appoints payments veteran James Hickman as CEO
  • New legislative regulations are a cybersecurity game-changer for the FS industry

Leave a comment Cancel reply

-or-

Log in with your FinTech Futures account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

Fintech Jobs


Related Content

  • Mollie appoints new CTO
    Dutch fintech Mollie raises $800m in Series C round
  • Deutsche Bank
    Deutsche Bank signs payments joint venture with Fiserv
  • Novus partners Visa and Railsbank to launch sustainable banking app
  • bbva
    BBVA Switzerland launches Bitcoin trading service for private banking clients

Top stories

The hottest news this week

Click here to read

Events

Banking Tech Awards 2022

Find out more

Webinars

Webinar: Banking customer centricity with journey orchestration

28th July 2022

Webinar: The future of payment protection – biometric authentication

22nd July 2022

Webinar: How post-pandemic market dynamics are driving higher assurance for digital agreements

19th July 2022
view all

Fintech Jobs

White Papers

Buyer’s guide: How to find the right multi-factor authentication (MFA) solution

18th July 2022

Passwordless authentication guide – improve customer experience

18th July 2022

White paper: Developing a futureproof payments market infrastructure – Insights from around the world

29th June 2022
view all

Magazine

Banking Technology Magazine July / August 2022 issue out now

14th July 2022
view all

Reports & Surveys

Report: Northern Ireland fintech – leaders in ESG

17th May 2022

FinTech Futures Industry Survey & Report 2022

6th May 2022

Report: Digital transformation and trends in financial services

6th May 2022
view all

Podcast

What the FinTech? | S.3 Episode 11 | Financial services and the fight against climate change

2nd August 2022

What the FinTech? | S.3 Episode 10 | Making money work harder

11th July 2022

What the FinTech? | S.3 Episode 9 | Smart applications for AI and ML

21st June 2022
view all

Videos

Video: SmartStream at Money 20/20 Europe – Levelling the playing field

1st July 2022

Video: Railsr at Money 20/20 Europe – Old finance vs fintechs

30th June 2022

Video: Bitstamp at Money 20/20 Europe – Putting trust in crypto

30th June 2022
view all

Content Hubs

Content Hub: Banking Tech Awards USA 2022 Winners

10th August 2022

State of Play: in-depth analysis of the fintech landscape

19th July 2022

Sibos 2022 Content Hub – all the hottest news and coverage

18th July 2022
view all

Media Packs

FinTech Futures Media Pack

Download

FinTech Futures Intelligence Media Pack

Download

Techwire

The Bancorp Named as the Top Bank Over $5 Billion in Assets in Bank Director’s Ranking Banking Study

15th August 2022

Inter&Co, Inc Reports Second Quarter 2022 Financial Results

15th August 2022

IQST – iQSTEL Announces Q2 47% Revenue Increase To $23.70 Million: On Track To $90 Million 2022 Annual Revenue Forecast

15th August 2022

Bonfire and CoProcure Announce Partnership to Offer the Industry’s Most Comprehensive Collection of Active Cooperative Contracts and Solicitations

15th August 2022

FirstBank Closes Out Second Quarter with Sustained Growth and Top Workplace Ranking

15th August 2022

BankiFi Secures $4.8 Million Investment for North American Expansion

15th August 2022

FMW Media, Inc.’s New to The Street TV Announces its Five Corporate Interviews Airing On Fox Business Network, Monday, August 15, 2022, 10:30 PM PT

15th August 2022

Wearable Payment Device Market Projected to reach worth $82.0 billion by 2026 – Exclusive Report by MarketsandMarkets™

15th August 2022
view all

Twitter

FinTech_Futures

The @UN calls for comprehensive #crypto regulation in developing countries The United Nations Conference on Trade… twitter.com/i/web/status/1…

15th August 2022
FinTech_Futures

Abrdn snaps up stake in digital securities exchange Archax 🏴󠁧󠁢󠁳󠁣󠁴󠁿 Scottish wealth management firm @abrdn_plc has… twitter.com/i/web/status/1…

15th August 2022
FinTech_Futures

Marqeta founder and CEO Jason Gardner to step down @Marqeta founder Jason Gardner has announced that he will be s… twitter.com/i/web/status/1…

15th August 2022
FinTech_Futures

Ever wondered, What comes after cashless? 🤔 When was the last time you went into a shop and paid with cash? More a… twitter.com/i/web/status/1…

15th August 2022
FinTech_Futures

@Marqeta founder and CEO Jason Gardner to step down Marqeta’s founder Jason Gardner has announced that he will be… twitter.com/i/web/status/1…

15th August 2022
FinTech_Futures

ANZ New Zealand selects FIS for core banking upgrade ANZ Bank New Zealand 🇳🇿 has selected FIS as it looks to upgra… twitter.com/i/web/status/1…

15th August 2022
FinTech_Futures

Founderpath bags $145m to fund bootstrapped SaaS ventures Texas-based #fintech @FounderpathHQ , which helps bootst… twitter.com/i/web/status/1…

15th August 2022
FinTech_Futures

Central Payments lands $30m, spins out from Central Bank of Kansas City 🇺🇸 US #fintech Central Payments has raised… twitter.com/i/web/status/1…

15th August 2022

Sign up for the FinTech Futures newsletter

Receive updates straight to your inbox each day

New issue of Banking Technology Magazine out now

Available to download for free

Banking Tech Awards 2022 nominations open!

Nomination deadline has been extended until 19 August

FinTech Futures Jobs

Find a job or post a vacancy

Fintech Futures
  • About us
  • Advertise with us
  • Contact us
  • Fintech jobs
  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2022 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.