And Camejo is just one of many who point out that the cost of compliance is far less than the potential cost of fines for noncompliance, which can be tens of thousands of dollars per month, or the cost of a major breach, which easily run into the hundreds of millions, as in the cases of TJX ($256 million), Sony ($171 million), and Heartland Payment Systems ($140 million).
"Current estimates of the cost of a breach run between $200 and $300 per compromised card," he said, which would mean Target would be looking at as much as $8 billion on the low end.
Among the other more significant new or revised requirements are:
Physical security of PoS terminals
"This is a big one," Chuvakin said, but added that "additional environment security guidance is much needed as well."
Camejo agreed it is important, but said it "falls into the category of things they should have been doing already anyway."
A network diagram that shows what is connected to cardholder data and its flow through the system
Camejo said what looks like a subtle change here is really quite significant, since it expands the scope of what is covered by the standards. "Previously, it included anything that stores, processes, or transmits cardholder data. Version 3.0 adds that anything that is connected to or can affect the security of the cardholder data is also in-scope," he said.
"The organizations that have been cutting corners — either willfully or out of ignorance — will have a much tougher time."
And Chuvakin said that even if it is difficult for some merchants, "it really does open your eyes about where the card data moves, how and when."
Pen testing, which includes verification that segmentation is working effectively
Chuvakin said this should improve security, since "since a lot of shoddy pen testing was sold that was essentially a guy with a vulnerability scanner."
Camejo said he views the requirement for validation of segmentation as, "a huge thing. Organizations often get segmentation wrong and this will help make sure they're doing it correctly," he said.
Strengthening password policies, tokens and certificates
"I think this is one of the most valuable requirements," Conroy said. "Poor passwords are responsible for the bulk of the data breaches that are taking place right now. This is an easy, low-cost way to eliminate a lot of the current vulnerabilities."
The update doesn't cover everything. Bit9's Strand said other areas he would like to have seen addressed include encryption key management and classification to ensure and monitor remote, secure and administrative access; greater scrutiny of access management to protect against insider threats as well as malicious external attacks; and better endpoint protection of assets like PoS devices.
Sign up for Computerworld eNewsletters.