Here Comes PCI DSS 3.0 – But is it Enough?

New PCI Data Security Standards guidelines are about to hit the streets for financial institutions

Future Impact on Banking and Finance

The true impact of the new guidelines on the banking and finance industries will be felt in 2015 when they officially go into effect and are enforced. I definitely advise merchants to carefully review the rules that come in version 3.0 as soon as is feasible, but in reality, some are still updating to current PCI DSS 2.0 rules, so there will be a lag. For those banks who don’t have a full cardholder-data scope reduction or protection strategy, 3.0 will no doubt help provide a framework and foundation to build one.

Reducing Risk Today — New, Proven Methods

There are already proven, validated technologies and solutions available today that completely remove cardholder data from high-risk, low-trust systems common in retail payment processing while preserving critical business functions. That includes everything from mainframe to mobile, from Big Data systems like Hadoop to cloud applications, and in e-commerce platforms and point-of-sale equipment. The leading merchants and payment processors are already ahead of the curve with a data centric approach to protection to deal with the risk more aggressively — with massive PCI-compliance cost savings as a result in some cases well over 90 percent compared with compensating controls or traditional storage and file encryption. If there’s no data to steal, then both the risk and the compliance burden are dramatically reduced.

The good news is that with the U.S. Government’s NIST recognition of new powerful data centric security methods such as AES FFX Format-Preserving Encryption (NIST 800-38G) to protect data easily and quickly, merchants, acquirers, card issuers and processors can choose proven approaches with the highest possible security stamp of approval. When blended with independently validated and proven techniques such as Secure Stateless Tokenization (SST) Technology, organizations have new, powerful and easy means to deploy weapons in reducing attack risks and compliance burdens. That’s critical in removing the doubts and risks that still prevail from so many proprietary and unproven solutions out there. PCI QSAs and risk assessors demand the highest levels of risk reduction through proofs of security, standards acceptance and independent validation of data-protection methods. And so they should — with anything else, it’s just a gamble on having a breach, and by then it’s all too late.

About the Author:

Mark Bower is a vice president at Voltage Security and has been involved in and contributed to many PCI SSC special interest groups, including the PCI SSC P2PE and Tokenization Special Interest Groups (SIGS). Voltage Security is a leading contributor to cryptography standards for data security for government, payments and the financial sector, including ANSI, the IEEE and NIST. For more information, see