By now, many organizations have implemented PCI DSS v3.2 and though the previous version (v3.1) expired in October of 2016, some of the new requirements became effective February 1, 2018. Additional requirements are due to be effective in July 2018. Confused yet? Whether you have not yet adopted the new standard, or have put PCI compliance off until the last minute, there is still time to become PCI DSS 3.2 compliant in 2018.Why is PCI Compliance Needed?
To address the growing threat on payment card data breach, in 2006 major credit card brands came up with the idea of creating universal standards for securing cardholder data through the Payment Card Industry Data Security Standard (PCI DSS). The main goal of PCI DSS standard is to keep cardholder data protected from possible compromise and threats. Though the number of merchants who are fully PCI DSS compliant increases annually, non-compliance may not be an option in 2018.
The Payment Card Industry Security Standards Council (PCI SSC) provides a high level overview for the 12 requirements for PCI compliance. The high level overview includes
- Building and Maintaining a Secure Network and Systems
- Protecting Cardholder Data
- Maintain a Vulnerability management program
- Implementing Strong access control measure
- Regularly Monitoring and testing networks
- Maintaining an Information security policy
With GDPR requirements going into effect in May of 2018, some of the PCI requirements can assist with the data security requirements for GDPR compliance but they are not one and the same.
As noted in a recent David Huen article, PCI requires companies to protect credit card data and GDPR requires companies to give consumers the right of managing their data. Many organizations may not understand the full scope of these requirements, and believe that PCI and GDPR can just solve compliance requirements.
As Tony Smith states, the upcoming changes to PCI and new GDPR are creating starting points, but "broader changes are imminent, as businesses change the way they view attacks and how quickly they respond".
PCI v3.2 Requirements
The big changes for PCI DSS v3.2 involve safeguarding payment data and secure sockets layer/early transport layer security ( SSL/early TLS). Updating these security controls is required by July 1, 2018.
PCI DSS v3.2 Requirements include:
- MFA for non-console administrative access to the CDE (8.3.1) Deadline: February 1, 2018
- Change management processes to confirms PCI DSS requirements in place after significant change( 6.4.6) Deadline: February 1, 2018
- Additional requirements for service providers Deadline: February 1, 2018
- SSL/TLS migration Deadline: July 1, 2018
- Only secure versions of the protocol to be used as security control
- Allowance for POS POI terminals confirmed not to be vulnerable
Organizations of any location, size, and type handling cardholder data must comply with PCI compliance standards. However, the level of compliance for an organization is determined by transactions.
Just as the levels and the requirements vary, the factors which affect the costs of compliance can vary as well. Some of the factors include in-house PCI knowledge, hardware, business type, senior leadership, and QSAs. To learn more, visit 9 Factors to Consider.
Best Practices for Continuous PCI Compliance
Maintain PCI Compliant Software
As we mentioned earlier, there are 12 requirements for PCI DSS, and PCI DSS v3.2 requires the implementation of a change detection mechanism such as File Integrity Monitoring (FIM) software as defined in Requirements 10 and 11. Not all software is the same, and there are 4 specific features to look for in a PCI solution that adhere to these requirements.
- Proactive Change management
- Auditing Capabilities
- Integrated Ticketing
- Automatic Vendor Change Identification
For a more in-depth review, visit 4 Key features to look for in a PCI software.
Monitor All Permissions
As part of an information security policy, security admins and leadership team members control the privileges of those who have acess to highly secured data and information. All too often remote employees, or even those no longer with a company have access to logs that should no longer be accessible. Organizations need to ensure that logs are not modifiable, even by top-level associates.
File Integrity Monitoring (FIM)As a core requirement for PCI DSS, file integrity monitoring should be a critical component with any information security policy. Requirements 10 and 11 are the PCI requirements that CimTrak most strongly aligns with: monitoring and tracking access to all data resources and cardholder data, as well as testing processes and security systems regularly.
CimTrakCimTrak helps organizations through complete integrity monitoring, automated configuration monitoring, and complete perimeter protection of routers and firewalls. This is all achieved without disrupting critical systems from continuously running. Learn more about how to maintain PCI DSS compliance with CimTrak today.
February 14, 2018