The Payment Card Industry Data Security Standard (PCI DSS) is designed to ensure the safe handling of cardholder information at every step of payment card processing through effective use of specifications, tools, measurements, and support resources.
The latest version – PCI DSS 3.0 – raises security standards.
Unlike past versions, which were criticized for promoting a ‘check-box’ mentality to compliance, version 3.0 emphasizes risk-based security. The PCI Council has also added new guidance for security as a shared responsibility, in response to third-party originated security incidents like the Target data breach.
When is the Deadline for PCI DSS 3.0?
The new iteration of PCI DSS, issued in November 2013, took effect on 1 January 2015, with a handful of evolving requirements taking effect on 1 July 2015. The deadline for assessing under PCI DSS 3.0 will occur at each merchant’s first self-assessment questionnaire (SAQ) or qualified security assessor-driven (QSA) assessment in 2015.
Who Should Align with PCI DSS 3.0?
PCI DSS is one of the most pragmatic industry standards. Most organizations would benefit from applying at least some of the security controls outlined in PCI DSS 3.0 in their day-to-day operations.
Are Organizations Ready For PCI DSS 3.0?
Adoption varies by organization size. Small and mid-sized organizations will adopt the new standard more slowly than larger organizations, which have already started adding some of the new controls and guidance to their business processes. In light of the increased number of third-party originated data breaches, larger firms have started to implement the new requirements for penetration testing, application development life-cycle security, and threat modeling.
"PCI DSS 3.0 is propagating increased education and awareness, especially [about] the usage of passwords"
What Are the Main Changes in PCI DSS 3.0?
The majority of changes in PCI DSS 3.0 relate to clarifications of prior guidance, but certain changes, outlined below, are of particular note.
To begin with, the new version clearly states that compliance should not be seen as a point-in-time assessment to achieve annual certification, but rather be managed on a continuous basis and embedded into a company’s day-to-day operations.
Also, due to the changes in the threat landscape, PCI DSS 3.0 is propagating increased education and awareness, especially as it relates to the usage of passwords – still a weak point when it comes to cyber-attacks.
With many organizations pushing outsourcing to its limits, the new guidance places special emphasis on implementing a strong and effective vendor risk management framework and institutes guidance on outsourcing PCI DSS responsibilities. For example, service providers with remote access to their customers’ premises are now instructed to use unique authentication credentials for each of them.
PCI DSS 3.0 also establishes new methodology requirements for penetration testing, which has become essential in defending against cyber-threats.
Finally, the scope of systems that must be assessed for compliance has been expanded. For instance, systems that don’t hold card data or personal identifiable information are still considered in scope if they’re used to view this type of data.
Key Challenges to Compliance
PCI DSS 3.0 inherently implies that organizations adopt continuous compliance and monitoring to reduce the risk of a breach. This includes: reconciliation of assets and automation of data classification; alignment of technical controls; automation of compliance testing; deployment of assessment surveys; and automation of data consolidation.
Applying continuous (security) monitoring increases the frequency of data assessments, the volume of data generated, and the need to automate data aggregation and normalization from various sources – security information and event management (SIEM), asset management, threat feeds, vulnerability scanners, etc. This may pose a burden to many organizations that lack the resources to support these processes. Combing through data sets collected by silo-based security systems typically requires a legion of employees to connect the dots.
Overcoming the Challenges
When conducting continuous compliance, organizations can reduce overlap by leveraging a common control framework, increase accuracy in data collection and analysis, and reduce redundant, manual, and labor-intensive efforts by up to 75%. By unifying security, monitoring solutions, and streamlining processes, organizations can create situational awareness to expose exploits and threats in a timely manner, and gather historic trend data, which can assist in predictive security.
About the Author
Torsten George is vice president of worldwide marketing and products at risk management software vendor Agiliance. Torsten has more than 20 years of global information security experience. He is a frequent speaker on compliance and security risk management strategies worldwide and regularly provides commentary and byline articles for media outlets, covering topics such as data breaches, incident response best practices, and cybersecurity strategies.