Maybe it’s me, but 2014 seems to be passing quickly. And if there’s one theme that will define the year for many of us, it’s getting ready for PCI DSS 3.0.
If you’re wondering what kind of changes are in store, 3.0 addresses common challenges like weak passwords, authentication issues, the need for clarified scoping and reporting, third-party security challenges and malware self-detection issues, just to name a few. Some of these may require considerable work for your organization; some may not. Regardless, it’s a good idea to start assessing your systems now to make sure you’re compliant by the January 2015 deadline.
Below are a few of the areas you’ll be asked to focus on.
- A Shift from Annual Compliance Approach to Daily Security. As new payment technologies increase, so do attack surfaces. Make no mistake, cybercriminals understand exactly how you’re your systems work. Approaching compliance as an annual checklist isn’t enough; organizations must adopt a proactive, business-as-usual approach to information security. For many of us, that means educating our staff, partners and leadership to create a culture of vigilance.
- Third-Party Relationships. Many recent breaches have involved service providers, which is one reason 3.0 focuses on improving communication and transparency between customers and providers. Responsibilities must be clearly divided, communicated and documented: that includes infrastructure, data storage and security controls, validation and testing activities, and any subcontractors who might impact your environment.
- Defining and validating in-scope systems. One of your first steps will be understanding and defining your Cardholder Data Environment. Actions include identifying all locations and flows of cardholder data, making accurate network and data flow diagrams and an exhaustive inventory list, and of course limiting your scope via network segmentation. Finally you’ll need to test it all with credit card searches and pen testing and create documented proof that your data is exactly where it should be – and not anywhere else.
- Point-of-sale (POS) terminals. A rise in skimming, physical tampering and POS attacks like Target’s breach are just one reason why 3.0 focuses on increased terminal security. Requirements include checking device serial numbers and stickers, conducting periodic inspections and training frontline employees.
- Strengthening password policies, tokens and certificates. Some of you are already doing this; others not thoroughly enough. 3.0 asks organizations to strengthen default passwords for user, application and service accounts, with new criteria for protecting credentials, physical security tokens, smart cards and certificates.
- Evolving malware threats. Even systems not commonly affected by malware must be protected; there are also new requirements regarding antivirus mechanisms and self-detection systems.
If you haven’t gotten started yet on transitioning your compliance practices, don’t worry. Here at Armor we’re offering a full lineup of webinars and other resources to guide you down the path to 3.0 compliance. Making these changes might seem burdensome at first but remember that 3.0’s purpose is to keep your environment and your customers safe in a payment IT landscape where threats are always evolving. We’ll walk you through the changes across all 12 requirements and help you understand how to adapt to the new standards.