Skip to content
Payment Card YearbooksPayment Card Yearbooks
0
New data security standards published

New data security standards published

Following various high-profile encryption protocol vulnerabilities, the PCI Security Standards Council has published an out-of-schedule update to the PCI Data Security Standards (PCI DSS) and Payment Application Data Security Standard (PA-DSS).

Versions 3.1 of the PCI DSS and PA-DSS were effective on publication —15 April 2015

4 out of 5 merchants fail PCI DDS compliance test

PCI Security Standards Council

and 1 June 2015 respectively. This marks a change for the Council, which usually publishes revisions to the standard every 3 years.

Recent well-publicised encryption flaws have made it easier for attackers to compromise website security and capture sensitive customer data for criminal gain, electronic surveillance and so on. Attacks such as Heartbleed, Poodle, Feast and Beast use man-in-the-middle style techniques to compromise encryption levels. All these attacks exploit security vulnerabilities in Secure Sockets Layer (SSL) and early versions of Transport Layer Security (TLS) protocols.

The National Institute of Standards and Technology (NIST) has identified that SSL and early versions of TLS (version 1.0 and in some cases version 1.1) no longer constitute ‘strong cryptography’. Naturally this has had a direct impact on the PCI DSS and PA-DSS.

“We are focused on providing the strongest standards and resources to help merchants and their business partners protect against the latest threats to payment data. The PCI Standards development process allows us to do this based on industry and market input,” said Stephen Orfei, general manager, PCI SSC.

“With PCI DSS 3.1 and supporting guidance we are arming organisations with a pragmatic, risk-based approach to addressing the vulnerabilities within the SSL protocol that can put payment data at risk.”

PCI DSS version 3.0 will be retired on 30 June 2015. SSL and early TLS cannot be used as security controls to protect payment data after 30 June 2016.

As for PA-DSS, new application submissions to PA-DSS 3.0 will be accepted until 31 August 2015. Those awaiting validation against PA-DSS 3.0 have until 30 November 2015 to complete this process. The expiry date for payment application listings validated to PA-DSS 3.1 is 28 October 2019.

The post New data security standards published appeared first on Payments Cards & Mobile.

Since their origin in 1996 as the Payment Cards Statistical Yearbooks have
expanded each year and now comprise of two separate publications.

The European Payment Cards Yearbook covers the EU27 countries plus Iceland, Norway, Serbia, Switzerland, Turkey and UK.

The Eurasian Payment Card Yearbook covers Russia and the countries of the former Soviet Union – Armenia, Azerbaijan, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Ukraine and Uzbekistan.
American Express
Apple Pay
Diners Club
Discover
Maestro
Mastercard
Shop Pay
Union Pay
Visa

© 2024 Payment Card Yearbooks, All rights reserved. Powered by Shopify

Cart 0

Your cart is currently empty.

Start Shopping
Trending Now