PCI DSS v4.0 release delayed

PCI DSS v4.0 release delayed

The publi­cation of a new, funda­men­tally revised version of the payment trans­action standard PCI DSS has been announced since 2019. We are eagerly awaiting the changes that the new version will bring.

After PCI DSS v4.0 had already undergone two RFC phases in 2019 and 2020, the PCI Security Standards Council has now decided to also initiate an RFC phase for supporting documents, in particular for

  • the template for the Report on Compliance (ROC),
  • the template for the Attes­tation of Compliance (AOC), and
  • the self-assessment question­naires (SAQs)

in June 2021. However, this will also delay the publi­cation of PCI DSS v4.0.

Instead of the announced release period in Q2 2021, the aimed period of final­ization is now Q4 2021. The actual release date has not yet been specified.

We must therefore be patient a little longer before we can properly plan the migration. With the shift of the publi­cation date, the planned transition periods from PCI DSS v3.2.1 to v4.0 have also been postponed. We are therefore also postponing our PCI DSS v4.0 webinars to 2022.

SRC-Expertin Ehlers: Standards of the Payment Card Industry (PCI)

SRC-Expert Ehlers: Standards of the Payment Card Industry (PCI)

“PCI compliance requires know-how and resources.” SRC expert Jana Ehlers explains the different PCI security standards in an article which has just been published on the profes­sional platform “All About Security”.

In view of the increasing number of card payments in pandemic times, the protection of payment card data is a very current topic.

All PCI standards aim at protecting payment card data of inter­na­tional payment systems. The most well-known standard alone, PCI DSS, has around 250 individual require­ments. If these are already taken into account when setting up networks and struc­tures, there is often no need for complex and expensive retrofits. But also the permanent mainte­nance of PCI DSS conformity poses challenges for companies.

SRC examines and advises on PCI standards since their emergence in 2006. This experience can be used to correctly under­stand and consider the inten­tions of the PCI standards. SRC accom­panies through the whole process. Thus, not only PCI-conformity can be achieved in an under­standable way, but also a great deal more security for the customers’ payment card data worthy of protection.

SRC recognized as SPoC/CPoC Lab by the PCI SSC

SRC recog­nized by PCI SSC as SPoC and CPoC Security Lab

Today, the worldwide operating PCI Security Standards Council has recog­nized SRC as the fourth laboratory for the perfor­mance of security tests for SPoC and CPoC solutions.

With SPoC solutions (Secure PIN Entry on Commercial-off-the-Shelf devices) a merchant can accept payments with commer­cially available mobile devices.

While the SPoC program describes solutions with PIN entry, the CPoC program is aimed exclu­sively at contactless solutions that do not require PIN entry.

A SPoC solution consists of four core components

  • a Secure Card Reader for PIN (SCRP), an external and PCI PTS approved card reader,
  • a tested PIN CVM App for secure PIN entry on the merchant’s standard mobile device,
  • the retailer’s mobile device (COTS device) such as a smart­phone or tablet, and
  • a background system that contributes signif­i­cantly to the security of the overall system by means of attes­tation, monitoring and processing.

With CPoC, the PCI SSC has developed require­ments for solutions for processing contactless payments without PIN entry (“Tap and Go”) on commer­cially available mobile devices (commercial off-the-shelf, COTS), such as smart­phones or other mobile commercial off-the-shelf (COTS) devices with NFC interface.

With the SPoC and CPoC programs, the PCI SSC meets the increasing demand for new and secure accep­tance solutions and ensures security in the accep­tance of payments via mobile phones and tablets. The corre­sponding tests are now also carried out by SRC.

The recog­nition of SRC as a lab for the programmes SPoC and CPoC is an important signal to the market. Customers from this innov­ative environment can now also make use of SRC’s expertise for the devel­opment of secure payment solutions.

PCI DSS guidance for Large Organizations

PCI DSS best practices guidance for large organi­za­tions published

SRC Security Research & Consulting GmbH contributed to the most recent PCI (Payment Card Industry) Security Standards Council Special Interest Group (SIG). The resulting guidance on PCI DSS for Large Organi­za­tions is now published.

Complex organi­za­tions, corpo­ra­tions and companies often face specific challenges when imple­menting PCI DSS (Payment Card Industry Data Security Standard) require­ments: the hetero­geneity of their infra­struc­tures and processes, the constant change of corporate struc­tures, and dealing with diverse require­ments, respon­si­bil­ities and management tasks.
The new guidance on PCI DSS for Large Organi­za­tions helps large and/or complex organi­za­tions coordinate and manage their PCI DSS activ­ities across multiple environments.

  • PCI DSS guidance for Large Organi­za­tions //document.