Collisions likely over PCI 3.0

New standards are meant to 'help' merchants, but experts say they are more about protecting credit card companies

In the ongoing cat-and-mouse game over the protection of credit card data, the Payment Card Industry's (PCI) stated goal for its 700-plus participants – card companies, banks, payment processors, hardware and software developers, merchants and assessors – is to avoid being the mice.

Or, at the least, for them and millions of individual card holders to be very well-protected mice.

[5 myths of encrypting and tokenizing sensitive data]

But a portion of the security community believes that its real goal is not equal protection for all stakeholders, but much more of it for its founders – five major credit card companies – at the expense of the rest. The impending new PCI Data Security Standard (PCI DSS) and Payment Application-Data Security Standard (PA-DSS), Version 3.0 will do little or nothing to change that, they say.

A preview of highlights of the proposed changes was published last month by the PCI Security Standards Council (PCI SSC) and a draft version went to Participating Organizations (PO) Sept. 12. The draft will be discussed next week, Sept. 24-26, at the council's North American Community Meeting in Las Vegas.

The final version is scheduled to be issued Nov. 7 and take effect Jan. 1, 2014, although Version 2.0 will remain active until the end of 2014.

To continue reading this article register now

7 hot cybersecurity trends (and 2 going cold)