Collisions likely over PCI 3.0

New standards are meant to 'help' merchants, but experts say they are more about protecting credit card companies

In the ongoing cat-and-mouse game over the protection of credit card data, the Payment Card Industry's (PCI) stated goal for its 700-plus participants – card companies, banks, payment processors, hardware and software developers, merchants and assessors – is to avoid being the mice.

Or, at the least, for them and millions of individual card holders to be very well-protected mice.

[5 myths of encrypting and tokenizing sensitive data]

But a portion of the security community believes that its real goal is not equal protection for all stakeholders, but much more of it for its founders – five major credit card companies – at the expense of the rest. The impending new PCI Data Security Standard (PCI DSS) and Payment Application-Data Security Standard (PA-DSS), Version 3.0 will do little or nothing to change that, they say.

A preview of highlights of the proposed changes was published last month by the PCI Security Standards Council (PCI SSC) and a draft version went to Participating Organizations (PO) Sept. 12. The draft will be discussed next week, Sept. 24-26, at the council's North American Community Meeting in Las Vegas.

The final version is scheduled to be issued Nov. 7 and take effect Jan. 1, 2014, although Version 2.0 will remain active until the end of 2014.

To continue reading this article register now

Make your voice heard. Share your experience in CSO's Security Priorities Study.