2013年11月7日 – 支付卡行业安全标准委员会(PCI SSC:Payment Card Industry Security Standards Council)发布了支付卡行业数据安全标准(PCI DSS:PCI Data Security Standard)和支付应用数据安全标准(PA DSS:Payment Application Data Security Standard)的新版本标准 – Version 3.0版本,最新标准可以在PCI SSC的官方网站上下载获取。3.0版本将于2014年1月开始生效并启用,2.0版本可以继续有效使用直到2014年12月31日,从而确保被合规机构有充足的时间执行新版本标准合规的过渡。

根据PCI DSS和PA DSS开发生命周期以及全球产业需要和反馈,该标准每三年执行一次正式变更。3.0新版本协助机构引入更大的灵活性,且更加关注于教育、意识和具有分享责任(如第三方)的安全性,使得将支付安全作为业务日常的活动。

新版本的变更包括特定的建议,使得PCI DSS融入到日常业务流程和最佳实践,从而维护持续的PCI DSS合规;更新了标准的指导Navigating PCI DSS(标准的指导文件之一);并增强了测试流程,从而为每个要求澄清评估级别。


Req. 5.1.2 – evaluate evolving malware threats for any systems not considered to be commonly affectedReq. 8.2.3 – combined minimum password complexity and strength requirements into one, and increased flexibility for alternativesReq. 8.5.1 – for service providers with remote access to customer premises, use unique authentication credentials for each customer*Req. 8.6 – where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.) these must be linked to an individual account and ensure only the intended user can gain accessReq. 9.3 – control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon terminationReq. 9.9 – protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution*Req. 11.3 and 11.3.4 – implement a methodology for penetration testing if segmentation is used to isolate the cardholder data environment from other networks, perform penetration tests to verify that the segmentation methods are operational and effective*Req. 11.5.1 – implement a process to respond to any alerts generated by the change-detection mechanismReq. 12.8.5 – maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entityReq. 12.9 – for service providers, provide the written, agreement/acknowledgment to their customers as specified at requirement 12.8.2*

Req. 5.1.5 – payment application developers to verify integrity of source code during the development processReq. 5.1.6 – payment applications to be developed according to industry best practices for secure coding techniquesReq. 5.4 – payment application vendors to incorporate versioning methodology for each payment applicationReq. 5.5 – payment application vendors to incorporate risk assessment techniques into their software development processReq. 7.3 – application vendor to provide release notes for all application updatesReq. 10.2.2 – vendors with remote access to customer premises (for example, to provide support/maintenance services) use unique authentication credentials for each customerReq. 14.1 – provide information security and PA-DSS training for vendor personnel with PA-DSS responsibility at least annually

更详细的标准变更摘要可以在PCI DSS官方网站上获取。

