Well, as you might have heard, the final version of the PCI DSS 3.0 requirements will be up only by November 2013 and it would be effective from January 2014. Alright, it’s time to get a glimpse of the proposed changes in the newer version.
PCI Requirement No.
Current PCI DSS Standard
Proposed PCI DSS Update for 3.0 on top of existing standards
Install and maintain a firewall configuration to protect cardholder data.
Have a current diagram that shows cardholder data flows.
To clarify that documented cardholder data flows are an important component of network diagrams.
Do not use vendor-supplied defaults for system passwords and other security parameters.
Maintain an inventory of system components in scope for PCI DSS.
To support effective scoping practices.
Use and regularly update antivirus software.
Evaluate evolving malware threats for systems not commonly affected by malware.
To promote ongoing awareness and due diligence to protect systems from malware
Develop and maintain secure systems and applications.
Update list of common vulnerabilities in alignment with OWASP, NIST, SANS, etc., for inclusion in secure coding practices.
To keep current with emerging threats.
Assign a unique ID to each person with computer access.
Security considerations for authentication mechanisms such as physical security tokens, smart cards, and certificates.
To address feedback that requirements for securing authentication methods other than passwords need to be included.
Restrict physical access to cardholder data.
Protect POS terminals and devices from tampering or substitution.
To address need for physical security of payment terminals.
Regularly test security systems and processes.
Implement a methodology for penetration testing, and perform penetration tests to verify that the segmentation methods are operational and effective.
To address requests for more details for penetration tests, and for more stringent scoping verification.
Maintain a policy that addresses information security.
Maintain information about which PCI DSS requirements are managed by service providers and which are managed by the entity.
Service providers to acknowledge responsibility for maintaining applicable PCI DSS requirements.
To address feedback from the Third Party Security Assurance SIG.
What do these changes mean to you?
- Policy guidance and operational procedures have to be given with each requirement
- You would have to maintain an inventory of all systems within your PCI scope
- It will eliminate the redundant sub-requirements
- These changes will bring in clarity on the testing procedures for each requirement
- It has strengthened the requirements around penetration testing and validation of network segments.
- It would allow you to be more flexible around risk mitigation methods comprising password strength and complexity requirements
Is your IT infrastructure ready?
Well, looking at all these additions to the current PCI requirements, you may feel that it’s a big change, but having a closer look at it, the change has been more structural. So, the question you need to ask yourself is how well are you equipped to embrace PCI 3.0
Some key questions would be:
- Have you constructed policies and procedures to limit the storage and retention time of PCI data?
- Do you have constant assessment and reporting systems across employees of different levels?
- Do you have an SIEM tool that will correlate and alert you in real time upon any security breaches?
PCI 3.0 will be effective from January 1, 2014 and it would become a mandate from July 2015!!
Are you all set?