Merchants and payment card issuers are to make payment security more of an ongoing element in their risk management, following the Payment Card Industry Security Standards Council's release of revised payment card security standards. Version 3.0 of the PCI Data Security Standard and the related standard for software developers, the Payment Application Data Security Standard, were released on Friday and will take effect on January 1 next year.PCI security standards are technical and operational requirements designed to protect card-holder data and they apply to all entities that store, process or transmit card-holder data. The broad aim of the new standards is to make payment security a "business as usual activity" for merchants, card issuers and card scheme operators, and for compliance to be an ongoing activity.It wants industry participants to achieve this by providing more staff education to raise security awareness.Specific changes include stricter firewall and router requirements, and a requirement that all vendor default passwords for systems, applications security software and terminals be changed. According to the PCI council, the widespread practice of leaving default passwords unchanged provides easy access for hackers and is akin to leaving business premises unlocked.The new standards also clarify the rules relating to dealing with sensitive data, such as rendering authentication data unrecoverable and masking account numbers, and managing encryption systems. The new standards call for a higher level of documentation of procedures.There is also a requirement for the ongoing evaluation of malware threats. Woolworths' group information risk manager, Peter Cooper, said the PCI council is keen for the industry to do a better job of managing payment data. Woolworths has a representative on the PCI council's board of advisors.Cooper said: "Businesses need to know where their card data is; they need to clean it up and get it into one secure place. The council is also encouraging businesses to use security management tools that monitor file integrity and look for unauthorised changes to files."The chief executive of the Australian Payments Clearing Association, Chris Hamilton, said the new standards were "sensible, good order-updating", and that most of the changes were things that financial institutions and merchants should be already doing. APCA is an affiliate member of the PCI council.Hamilton said some of the changes were in line with developments already underway in Australia. These include improving education and awareness among employees about issues such as card skimming.