Get a head-start on PCI 3.0
As we head into the New Year, QSAs and organizations alike begin preparing for their annual Report on Compliance (RoC). A year ago, The PCI Council announced that version 3.0 of the Payment Card Industry Data Security Standard Report (PCI DSS) would come into effect beginning January 1, 2015. The council updated the report with the intent to provide greater clarifications and additional guidance on PCI 2.0 requirements, with the intent to move DSS closer to industry expectations. Although the changes from PCI 2.0 – 3.0 were not dramatic, it takes time to fully understand what the council’s intent is. The following is an overview of the changes from PCI 2.0-3.0 and suggestions for upcoming RoCs in 2015.
The Need for New Requirements
Recently, The PCI Council realized that the number of identified vulnerabilities found across all industries is increasing. Due to lack of education and awareness of how to monitor, detect, and defend against such exploits, The Council wanted to provide consistency and clarify much of the terminology and descriptions for the requirements. What prompted these changes in PCI policy?
- Many companies were still using weak passwords.
- In general, there is a lack of education & awareness around PCI.
- Recent data beaches have often involved third-party security challenges.
- Many security issues are caused by the slow detection of malware.
Specific Changes to Note:
- Business as Usual Processes:
- Hands-on and continual awareness & education training now required
- Inventory of the system components in PCI scope
- Regular Point of Sale(PoS) equipment inspection is now required
- New efforts to focus on managing your vendors & service providers are also required
- New Penetration Testing Methodology (11.3)