PCI DSS 3.0: What You Need to Know

Posted: October 3rd, 2013
Filed under: IIS & HTTP

This November, the Payment Card Industry (PCI) Security Standards Council will change the PCI Data Security Standard (PCI DSS) and the Payment Application-Data Security Standard (PA-DSS). This means organizations that handle cardholder data will need to update their security to adhere with the new rules. We’ve read the initial documentation and have laid out some of the biggest changes to prepare for over the coming year.

About PCI DSS Guidance

PCI DSS is a set of standards originally developed by the major credit card companies. It was developed to keep credit card information secure and reduce fraud. According to the PCI Standards Security Council, any organization that processes, stores, or transmits data will be required to:

  • Build and Maintain a Secure Network
  • Protect Cardholder Data
  • Maintain a Vulnerability Management Program
  • Implement Strong Access Control Measures
  • Regularly Monitor and Test Networks
  • Maintain an Information Security Policy

The Biggest Change in Version 3.0

In the previous version of the PCI DSS standard, the method of security acted as a one-point-in-time check box. This meant that organizations weren’t necessarily compliant throughout the year, but rather prepped for a specific test date. Just as studying for the SAT and forgetting everything you learn afterwards doesn’t make you smart, putting security measures in place for a PCI compliance check and removing them after doesn’t make your site secure. But implementing these standards at your organization may help minimize the chance of a security breach. This can save you a lot of time, headaches, and money in the long run.

The core twelve areas (listed below) will remain the same in the updated guidance, but each point will include additional sub points and clarification. This will provide for additional clarity and specificity for how organizations can manage payment security.

These sub-requirements will take time and effort to plan and implement. As a result, the PCI Council has stated that some of the sub-requirements will be considered “best-practices” until July 2015. If your organization is not compliant by then, you may be fined after your next compliance report. Specific requirements may also vary by credit card brand, and are available online.

The main focus of PCI DSS 3.0 is moving to a model that focuses on security, rather than compliance. This means that the themes of education and awareness, increased flexibility, and security as a shared responsibility will become part of the new changes. The PCI Council writes that this approach is “designed to help organizations take a proactive approach to protect cardholder data that focuses on security, not compliance, and makes PCI DSS a business-as-usual practice.”

Updated Security Requirements

Each of the goals comes with at least one specific benchmark to achieve approval. They include:

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks
  5. Use and regularly update anti-virus software or programs
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by business need-to-know
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security for all personnel

Full details and more extensive guidance on each requirement can be found on the PCI Council’s website.

Let’s Get Ready

What are you doing to prepare? Share your tactics in the comments below and stay tuned to our blog for recommendations as the revisions are finalized. And remember you can always try ServerDefender VP to lock down the Web application firewall requirements before the deadline. If you have any questions about PCI DSS Compliance, please feel free to contact our security experts.

No Comments »

Leave a Reply