Troy Leach and Bob Russo

Version 3.0 of the PCI Data Security Standard goes into effect Jan. 1, 2014, so organizations need to shore up their compliance programs, say Troy Leach and Bob Russo of the PCI Security Standards Council.

"Next year is really a market implementation year, so we encourage everyone to review and become familiar with the new standards before their required assessments are due," says Russo, general manager of the council, in an interview with Information Security Media Group [transcript below].

Among the new requirements of version 3.0 are steps to mitigate payment card risks posed by third parties, such as cloud providers and payment processors.

The new version also stresses that businesses and organizations that accept and/or process cards are responsible for ensuring the third parties they rely on for outsourced solutions and services use appropriate security measures, says Leach, the council's chief technology officer.

"Many of the breaches have involved the integrity of the third parties," Leach says. "Organizations need to help those types of entities understand their PCI responsibilities."

Contract Requirements

Another new requirement included in the update to PCI-DSS calls for contracts between businesses, retailers and other entities that accept card payments and third parties that specifically outline card security obligations, Leach says. "Organizations must have a written agreement with the service provider to ensure they understand their obligations to secure data," he says.

Businesses, merchants, banking institutions and others responsible for complying with the PCI DSS and the PCI Application Data Security Standard have until January 2015, when enforcement of the updated requirements begins, to shore up their compliance programs, Russo says.

"There's a full year before the previous version is retired, so this gives companies time to familiarize themselves with the new requirements and make any kind of adjustments to their programs based on their business environments and whatever their security strategies are," he says.

During this interview, Russo and Leach discuss:

Critical requirements added in version 3.0; PCI's impact on mobile payments; New requirements for qualified security assessors.

For more information, see also, PCI Updates Address Retail Breaches.

Russo brings more than 25 years of high-tech business management, operations and security experience to his role as the general manager of the PCI Security Standards Council. He guides the organization's efforts to improve data security standards for merchants, banks and other key stakeholders involved in the global payment card transaction process. He works with representatives from American Express, Discover Financial, JCB, MasterCard Worldwide and Visa International to drive awareness and adoption of the PCI-DSS.

In his role as lead security standards architect for the PCI Security Standards Council, Leach has developed and implemented a comprehensive quality assurance program to promote consistency within the council's QSA, ASV, PA-DSS and PED programs. Before joining the council, Leach led the incident-response program at American Express, where he reviewed more than 300 cases of account data compromises. Over the past 18 years, he has held positions in systems administration, network engineering, IT management, security assessment and forensic analytics.

Changes in Version 3.0

TRACY KITTEN: What would you say are some of the biggest changes that are being made to version 3.0 based on feedback that you've gathered?