PCI-DSS 3.0 Helps Merchants Defend Against Emerging Threats
15 06, 14 Filed in: Blog Posts
Protecting sensitive personal data continues to be a priority for merchants and businesses that operate in the payment card industry. With the release of PCI-DSS 3.0 many organizations that are already PCI compliant or are working toward becoming PCI compliant are wondering what these changes will mean to their organization.
Let’s take a look at what has changed and the impact this will have on how organizations approach PCI compliance.
Merchants and businesses should find that PCI-DSS 3.0 is easier and more intuitive to work with than earlier versions. The main impact of the changes includes:
What new requirements are included in PCI-DSS 3.0?
With version 3.0, the PCI Security Standards Council enhanced or clarified existing PCI-DSS requirements. However a number of new compliance requirements were added including:
General: A new PCI-DSS ROC Reporting Template must be used as the template for creating the Report on Compliance.
General: More details have been added to the testing procedures to clarify the level of validation expected for each requirement. This reduces uncertainty over what is required to confirm compliance with a requirement and make determining compliance much more straightforward and consistent.
Req. 5.1.2: An organization will need to be aware of evolving malware threats to its systems and act if malware does become a significant threat, rather than the previous assumption that malware protection was only required on Windows systems.
Req. 8.2.3: The recent change gives greater flexibility to meet this requirement by providing a control which security equivalent to a password of at least 7 characters composed of numeric and alphabetic characters. Guidance recommends password entropy as a means of measuring this.
Req. 8.6: Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.) these must be linked to an individual account and ensure only the intended user can gain access.
Req. 9.3: Control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination.
Req. 9.9: For Brick and Mortar retailers who will need to catalogue POS terminals and regularly check them to detect any theft or tampering (e.g. for skimming). At the European PCI Community Meeting, it was clarified that this only applied to the card interaction points (swipe or dip, etc).
Req. 11.5.1: New requirement to confirm that alerts from the change detection mechanism are investigated. This update makes the requirement to investigate alerts more explicit.
Req. 12.8.2: Many organizations will have contracts in place which pre-date their PCI-DSS compliance efforts, but which did place a requirement on the Service Provider to maintain the security of CHD either explicitly or implicitly. These agreements must now explicitly address compliance with PCI-DSS requirements and so may require amendments to existing contractual agreements.
Req. 12.9: This is the mirror of changes to Requirement 12.8.2 – the Service Provider has a matching requirement to confirm it will maintain applicable PCI-DSS requirements to match the client’s requirement to obtain it from them.
What is the timing for these changes?
PCI-DSS 3.0 went into effect Jan. 1, 2014, but businesses are given a year to implement the updated standard. This means that during 2014 merchants and service providers can choose whether to validate compliance under version 2.0 or 3.0 of PCI-DSS, although they may not mix requirements from 2.0 and 3.0 together in a single assessment. Any validation conducted in 2015 must be conducted under version 3.0. Service providers also have until July 1, 2015 to meet specific requirements.
Want more information?
Watch my walkthrough of these changes in a comprehensive webinar: The Changing PCI Landscape: What does it mean for your organization? Additionally, download the white paper “PCI v3.0 Impact Analysis” for specific rule changes.
Let’s take a look at what has changed and the impact this will have on how organizations approach PCI compliance.
Merchants and businesses should find that PCI-DSS 3.0 is easier and more intuitive to work with than earlier versions. The main impact of the changes includes:
- New requirements for periodic inspection of PIN Entry Devices (PEDs) will have a major impact on retail merchants but will limit the likelihood and impact of skimming and Chip-and-PIN compromises.
- Greater clarity for organizations and any service provider partners on their respective responsibilities to avoid compliance gaps between them.
- While recognizing the importance of network segmentation for scope reduction, there are now clearer requirements for tests to ensure the effectiveness of any segmentation controls.
What new requirements are included in PCI-DSS 3.0?
With version 3.0, the PCI Security Standards Council enhanced or clarified existing PCI-DSS requirements. However a number of new compliance requirements were added including:
General: A new PCI-DSS ROC Reporting Template must be used as the template for creating the Report on Compliance.
General: More details have been added to the testing procedures to clarify the level of validation expected for each requirement. This reduces uncertainty over what is required to confirm compliance with a requirement and make determining compliance much more straightforward and consistent.
Req. 5.1.2: An organization will need to be aware of evolving malware threats to its systems and act if malware does become a significant threat, rather than the previous assumption that malware protection was only required on Windows systems.
Req. 8.2.3: The recent change gives greater flexibility to meet this requirement by providing a control which security equivalent to a password of at least 7 characters composed of numeric and alphabetic characters. Guidance recommends password entropy as a means of measuring this.
Req. 8.6: Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.) these must be linked to an individual account and ensure only the intended user can gain access.
Req. 9.3: Control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination.
Req. 9.9: For Brick and Mortar retailers who will need to catalogue POS terminals and regularly check them to detect any theft or tampering (e.g. for skimming). At the European PCI Community Meeting, it was clarified that this only applied to the card interaction points (swipe or dip, etc).
Req. 11.5.1: New requirement to confirm that alerts from the change detection mechanism are investigated. This update makes the requirement to investigate alerts more explicit.
Req. 12.8.2: Many organizations will have contracts in place which pre-date their PCI-DSS compliance efforts, but which did place a requirement on the Service Provider to maintain the security of CHD either explicitly or implicitly. These agreements must now explicitly address compliance with PCI-DSS requirements and so may require amendments to existing contractual agreements.
Req. 12.9: This is the mirror of changes to Requirement 12.8.2 – the Service Provider has a matching requirement to confirm it will maintain applicable PCI-DSS requirements to match the client’s requirement to obtain it from them.
What is the timing for these changes?
PCI-DSS 3.0 went into effect Jan. 1, 2014, but businesses are given a year to implement the updated standard. This means that during 2014 merchants and service providers can choose whether to validate compliance under version 2.0 or 3.0 of PCI-DSS, although they may not mix requirements from 2.0 and 3.0 together in a single assessment. Any validation conducted in 2015 must be conducted under version 3.0. Service providers also have until July 1, 2015 to meet specific requirements.
Want more information?
Watch my walkthrough of these changes in a comprehensive webinar: The Changing PCI Landscape: What does it mean for your organization? Additionally, download the white paper “PCI v3.0 Impact Analysis” for specific rule changes.