Payment Card Industry Data Security Standard (PCI DSS) updated to version 3.0
11/08/2013 New standards from the Payment Card Industry Security Standards Council go into effect 1/1/2014 with a year for transition. Some requirements have until July 2015 for implementation.
Some updates seem like basic precautions that should already be in place. Here are two examples: Requirement 6.5.10, says companies should examine their software development procedures to make sure that broken authentication and session management processes are addressed. Requirement 12.9 requires recognition that outsourced IT is a security risk and that service providers have to provide a writing to customers that they are responsible for the security. This requirement is not mandatory until July 2015.
While the updates as a whole are significant they represent no core improvement in protection.
The jewels are still in the vault.
The PCI Security Standards Council released version 3.0 of the PCI Data Security Standard (PCI DSS) and corresponding Payment Application Data Security Standard (PA-DSS), adding new security requirements and guidance for payment-card industry organizations, including merchants, payment processors, financial institutions, and service providers. … The effectiveness of the PCI DSS, whose primary goal is to help organizations secure cardholder data, is disputed in the security community. That’s partly because there have been many cases of merchants and payment processors that suffered significant cardholder data breaches despite having passed PCI DSS compliance assessments
The article
http://www.pcworld.com/article/2062140/payment-card-industry-gets-updated-security-standard-with-new-requirements.html
The new standards
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf