The soon-to-be-released Version 3.0 of the Payment Card Industry Data Security Standards (PCI DSS) promises to enhance security measures and stimulate activity in a number of industries. The publication date is set for November 7, but merchants and service providers will have until December 31, 2014, to submit compliance reports. The introduced changes are expected to be more rigorous than the ones from the prior version. The 12 main security areas will remain the same, but a range of new sub-requirements, which may have separate compliance deadlines, will be added. Some of the expected changes include increased focus on education and testing methodology, more flexibility and clarity, and focus on risk management in threat environments, among others. The recently published “PCI 3.0 – catch a sneak peek before full feature” MIS Spotlight provides more details on PCI DSS Version 3.0.
PCI DSS Version 3.0 may benefit vendors in a number of industries, including anti-malware, PCI consulting and Web-application firewall (WAF). Imperva, F5 Networks and Citrix were some of the leading WAF vendors in 2012. At that time, only 11% of enterprises planned spending increases for WAF, while 27% expected to keep a flat budget. New PCI DSS compliance requirements may send security managers back to their drawing boards and provide an opportunity for vendors to stand out.
Notably, the chart below also shows that users are sometimes confused between the terms ‘application-aware firewall’ and ‘Web-application firewall,’ since some of the listed vendors do not offer WAFs.
Narratives from TheInfoPro’s Wave 15 Information Security Study underlined some of the common enterprise challenges with PCI. For example, new project and product launches may influence PCI compliance, so continuous evaluation efforts and policy work may be required to ensure secure operations. In addition, PCI was mentioned as a common driver and an approval catalyst for new information security projects, establishing significant implications for enterprises in PCI DSS updates.
The following narratives were provided on PCI by survey respondents:
- “PCI – several business projects that may impact the security for PCI. Don’t want new projects to impact our compliance efforts.” – MSE, Consumer Goods/Retail
- “I was hired three weeks ago to build a policy for PCI. I already have requests for proof of compliance. Waiting for approvals to get funding and staff.” – MSE, Telecom/Technology
- “Every day we have to meet HIPAA and PCI DSS with new products.” – LE, Healthcare/Pharmaceuticals
- “PCI and SOX are ongoing. PCI increases compliance requirements.” – LE, Other
- “We now have a formal project management process. They have to go through that, which is governed by a number of committees. The ROI is part of that process. It is very much compliance driven. A regulatory or ‘must do’ category. PCI is one of those.” – MSE, Education