Advertiser Disclosure

New Payment Card Security Standards and What They Mean to Consumers

Jan. 29, 2014
Credit Cards
Many or all of the products featured here are from our partners who compensate us. This may influence which products we write about and where and how the product appears on a page. However, this does not influence our evaluations. Our opinions are our own.


If you’ve been following news of the Target security breach, you may be wondering what measures are being taken to improve the security of consumer information these days. The Payment Card Industry Security Standards Council (PCI SSC) released its new security standards (PCI DSS v3.0) in November 2013, before the Target firestorm, and most of the regulations went into effect in January. If you’re interested in the nitty-gritty of the new rules, head over to PCI SSC and check them out. If that seems daunting, though, don’t stress about it. We’ll tell you everything you need to know.

Much of v3.0 is the clarification of previous regulations (v2.0), but there are a few evolving (aka “new”) requirements. Here are the highlights, effective January 2014:


All companies that store, transmit or process cardholder data must:

  • Both document and implement firewall and router standards.
  • Change all vendor default passwords. This applies to systems, applications, security software, and terminals. Unnecessary default accounts must be removed or disabled.
  • Perform risk assessment at least annually and after significant changes to the environment.

New regulations

All companies that store, transmit or process cardholder data must:

  • Have a current network diagram that includes card holder data flow.
  • Maintain an inventory of system components used in processing secure consumer data for PCI DSS to support development of configuration standards.
  • Evaluate evolving malware threats for any systems not considered to be commonly affected by malicious software.
  • Ensure that anti-virus solutions are actively running and cannot be disabled or altered by users unless specifically authorized by management on a per-case basis.
  • Link other authentication mechanisms, such as physical or logical security tokens, smart cards, and certificates, when they are used, to an individual account so that only the intended user is allowed access with that mechanism.
  • Control physical access to sensitive areas for onsite personnel, and must have a process to authorize access, and revoke access immediately upon employee termination.
  • Include changes to identification and authentication mechanisms (including creation of new accounts, elevation of privileges) as well as all changes, additions, deletions, to accounts with administrative access.
  • Include stopping or pausing of audit logs.
  • Include an inventory of authorized wireless access points and a business justification to support scanning for unauthorized wireless devices, follow the already-existing testing procedure, and include incident response procedures if unauthorized wireless access points are detected.
  • Perform tests to check that the methods for keeping sensitive information separate from other networks are operating and are effective.
  • Implement a process to respond to any alerts generated by the change-detection mechanism (file monitoring software)
  • Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.

The good news for companies is that they have increased flexibility for password complexity and strength alternatives that meet the equivalent requirement.

New regulations, effective June 2015

There are a few more challenging requirements that are considered best practice for the next 18 months. These include:

  • Protecting from tampering and substitution, devices that capture payment card data via direct physical interaction.
  • Implementing a methodology for penetration testing (in other words, creating a procedure for assessing risk by trying to break into the system).
  • Finally, third-party service providers must create coding practices to protect against broken authentication and session management, as well as use unique authentication credentials for each customer when accessing customers remotely.

Yes, yes, there are a lot of new rules. Who’s going to abide by them?

It’s really important for merchants to instill trust in their customers by keeping sensitive customer information safe, so that customers want to return again and again. That’s one reason for merchants to follow these rules and to choose trustworthy third-party service providers. Another is that the bank that processes merchant transactions can be fined up to $100,000 per month for PCI compliance violations. The bank then passes those fines on to a problematic merchant and could refuse to do business with that merchant, possibly forcing the merchant to close its doors.

Will the new regulations prevent another breach?

The short answer: probably not. While the new regulations definitely make it more difficult for fraudsters to get a hold of your personal information, new malware is being developed all the time, and there is no fail-safe prevention. These new regulations do, however, clarify many of the practices that companies may have found confusing in the past, making it so that a breach is less likely to be caused by human error. Many argue that Americans would be more protected against fraud if we all went the way of the Europeans and started carrying EMV chip-with-signature credit cards. There are several of these cards available on our side of the pond, so if you’re still feeling less than confident about the security of your personal information, that might be a route to consider.

Consumer image via Shutterstock