PCI Compliance – Differences Between DSS 2.0 and 3.0


If you’ve heard the term PCI Compliance before, you’re probably aware that PCI is an industry standard for helping to ensure secure credit card processing for all consumers. Not only are these best practices beneficial to consumers, but maintaining compliance is actually a requirement for any business that wants to process credit card transactions.

Credit card processing and related technology is not something that remains static. Instead, companies are always looking for new ways to reduce credit card fraud or make it even easier for consumers to complete their purchases. The changing landscape of the payments industry is why the Security Standards Council responsible for PCI periodically publishes updates to their collection of standards for both merchants and processors.

The most recent major update to this collection of standards was PCI DSS 3.0. Although most of the very technical things related to compliance are handled by processors, it’s still helpful for merchants to be aware of the types of standards they need to maintain. So with that in mind, here are the most significant differences between DSS 2.0 and 3.0:

Handling Cardholder Data on a Need to Know Basis

One finding that’s consistent across data breaches of all sizes is people involved in the payment chain are disproportionately represented. That’s why the only way to reduce breaches is for cashiers or any other employees who interact with financial information via POS transactions to go through extensive training. In addition to training, the latest DSS emphasizes the importance of only sharing card and other financial data on a need to know basis. A useful example is physicians and nurses shouldn’t have direct access to their patient’s billing information.

Protecting Against Malware

Standard antivirus software is no longer adequate protection against threats to sensitive financial information. Since malware is getting more sophisticated, the latest standards make it clear that steps need to be taken to properly secure all devices involved in payments, including tablets and POS hardware.

Stricter Policies for the Storage and Protection of Data

PCI compliance has always required maintaining proper measures to protect cardholder data. DSS 3.0 reinforces why businesses should work with a processing company that already has the best storage policies in place instead of trying to manage any of this kind of data on their own.

Helping Users Create Better Passwords

With more information than ever being stored in the cloud, users and employees need to have very secure passwords. However, most people still don’t realize just how important strong passwords are, which is why one difference between DSS 2.0 and 3.0 is an explicit focus on helping to educate & train in regards to proper password practices.

While it’s helpful to know where the Security Standards Council feels the most attention is needed, we want to emphasize again that the most important step for establishing and maintaining PCI compliance is to choose a reputable credit card processing company that will help you ensure all necessary standards are implemented.

Posted on Monday, January 25th, 2016