Thomas Jefferson wisely said, “Never put off till tomorrow what you can do today.” When it comes to compliance with Payment Card Industry Data Security Standard (PCI DSS) version 3.0, it might be time for merchants to heed Jefferson’s advice. In a recent survey conducted by NTT Com Security aimed at assessing the awareness, acceptance, and understanding of PCI DSS 3.0, the findings were eye-opening:
- Just 30% of respondents said they have reviewed the requirements and have a plan in place.
- 41% stated they had heard of PCI DSS 3.0, but did not have a plan for compliance.
- 70% were unaware of the date by which they need to be PCI DSS 3.0 compliant. [1]
Having just completed PCI DSS 3.0 validation, we encourage you to move PCI DSS 3.0 planning to the top of your to-do list.
What Are the Important Dates?
The Payment Card Industry Security Standards Council (PCI SSC) released version 3.0 of the DSS in November, 2013. Reporting guidelines were made available in February 2014; however, existing PCI DSS 2.0 compliant entities have until their next anniversary date in 2015 to validate compliance to the new standard.
How Do the Versions Differ?
Version 3.0 changes continue to raise the level of best practices that govern the industry. They are designed to help organizations take a proactive approach to protect cardholder data with focuses on security, not compliance, and make PCI DSS a business-as-usual practice.
According to the PCI SSC, the PCI DSS version 3.0 will[2]:
- Provide stronger focus on some of the greater risk areas in the threat environment
- Build greater understanding on the intent of the requirements and how to apply them
- Improve flexibility for all entities implementing, assessing and building to the Standards
- Help manage evolving risks/threats
- Align with changes in industry best practices
- Clarify scoping and reporting
These are a summary of high level changes, but what does this mean to the merchant? Depending on how your organization conducts business, here are just a few of the new and updated requirements that may affect your processes and procedures:
- Req. 2.4 – Maintain an inventory of system components that are in scope for PCI DSS.
- Req. 5.1.2 – For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software.
- Req. 9.3 – Control physical access for onsite personnel to the sensitive areas as follows:
- Access must be authorized and based on individual job function
- Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled.
Be aware, these are just a few of the changes. There are updates to all 12 requirements including some new sub-requirements. The changes will provide increased stringency for validating that these controls have been implemented correctly, as well as more rigorous testing procedures. For full detail, read the PCI Security Standard Council’s comprehensive change log, PCI DSS and PA-DSS Version 3.0 Change Highlights.
What Has Stayed the Same?
If you are using TrustCommerce solutions, you are ahead of the curve, because we are already PCI DSS version 3.0 validated. TrustCommerce solutions support merchants’ efforts in achieving and maintaining PCI compliance. Leveraging an array of solutions, for example Point-to-Point Encryption, tokenization, seamless redirect, and hosted payment pages, merchants can reduce their PCI scope, and protect payments end-to-end, from the point of entry, through transmission, to storage.
What Can You Do to Prepare?
PCI DSS compliance should be an important part of overall security strategy. Now is the time to begin preparing to meet next year’s deadline.
- Take time to read through the new standard.
- Contact your QSA and find out if anything has changed in your particular area of business.
- Reach out to TrustCommerce to discuss solutions that align with your PCI compliance efforts, 800.915.1680, option 2 or contact us.
Begin planning now to ensure a smooth transition to the new set of standards.
[2] PCI DSS and PA-DSS – Version 3.0 Change Highlights August 2013 PCI Security Standards Council LLC