PCI-DSS Version 3.0 Risk Improvements
Over the years, most compliance requirements have shared the “check in the box” mentality and in essence provided little advancement in the world of security. While security professionals across the globe tried diligently to inform clients and customers that compliance with a particular mandate did not translate to effective security, very few listened.
Finally, it appears that the Payment Card Industry-Security Standards Council (PCI SSC) and the payment card brands have opted to invoke “real-world” risk/threat analysis into their compliance requirements, and do away with the “check-in-the-box” thinking that has hampered so many regulations and literally lead to the security-breaches of many “compliant” organizations.
Below is eight items that any organization preparing for PCI-DSS 3.0 compliance should be prepared for:
- Cardholder Data Flows – Organizations should keep current network diagrams that properly illustrate the flow of cardholder data within the network environment.
- Inventory – Update, review, and maintain an accurate inventory of system(s) components that are considered “in-scope” for PCI-DSS compliance.
- Know the Boundaries – Organizations should clearly define what PCI-DSS requirements are managed by “service providers” and which are maintained in-house.
- Securing Authentication Methods – Password management is no longer the only requirement. Now, you should be implementing security considerations for authentication methods such as security tokens, smart cards, and certificates to meet compliance requirements for securing authentication methods outside of just passwords.
- Malware Review – With many breaches being reported and related to malware, organizations should now be actively evaluating threats for systems NOT commonly affected by malware. This will help to promote ongoing awareness and protect systems from malware.
- Penetration Testing – Gone are the days of mindless penetration testing. PCI-DSS 3.0 requires organizations to follow a specific methodology for Penetration Testing, and to perform penetration testing to verify segmentation methods are operational and effective within the environment.
- Common Vulnerabilities – Organizations must update and maintain a list of common vulnerabilities (similar to OWASP and NIST) to ensure the security of coding practices and keep current with emerging threats.
- POS Protection – Protection of POS terminals and devices against tampering is now required to address the physical security of payment terminals.
Conclusions: Managing Risk
If organizations pay particular attention to aforementioned items, the transition to PCI-DSS version 3.0 should be easily managed. In addition, companies embarking on their first attempt at PCI compliance with version 3.0 will find themselves positioned quite well if they apply priority to the list above.
While these PCI-DSS 3.0 requirements were made effective on January 1, 2014 organizations required to achieve PCI-DSS compliance can continue with PCI-DSS version 2.0 until December 31, 2014.
Praetorian Secure, LLC is a PCI-QSA company and provides a number of PCI-DSS compliance services to our clients. If you are in the need of meeting PCI-DSS compliance requirements please click here or contact us at 855.519.7328 to setup a meeting.