Can PCI DSS version 3.0 Deliver on its Risk Management Promise?

There have been few subjects that have stirred more controversy in information security than PCI DSS. Some say it has done more to raise the level of security preparedness of millions of merchants than anything before, whereas others claim it has “dumbed-down” security to a check box standard.


The most recent revision to the PCI DSS is version 3.0, which goes into effect January 1, 2014. The PCI Council has stated that risk management is a major goal of the PCI DSS. This will hopefully entail a more security centric approach to PCI compliance rather than the least common denominator approach of earlier versions.

Moving to a risk management-centric goal is one that many within the industry have clamored for, and if the new risk-based approach will result in organizations adopting better security standards, then PCI DSS 3.0 will have succeeded where its predecessors have come up short.

Making PCI compliance “business-as-usual” is really an overarching theme of PCI 3.0. The idea that a merchant can be PCI compliant on a given day or point in time and then not compliant the next day when a breach takes place caused many in the security industry reason to doubt the integrity or relevance of PCI compliance. Rather than a point-in-time test, the new PCI DSS wants security to be a more holistic, integrated business process. It is more about continuously securing the environment of the merchant as well as the processes and policies in place than a point-in-time check.

The PCI Council and its members responsible for drafting the new version of the standards have listened to those in the industry who wanted to see PCI DSS evolve. The proof will come as organizations develop and implement the new processes needed to implement the new standard over the next several years.