There are a number of new or updated requirements in Payment Card Industry Data Security Standard (PCI DSS) version 3.0 to address how technology is used both by the merchants and by attackers.
There are 5 key changes that we are helping clients to address to maintain their compliance:
- Penetration testing requirements now must verify methods used to segment cardholder data environment (CDE) from other areas of the network. Internal and external pen testing must follow an “industry accepted method” such as NIST SP 800-115.
- Assessors must “maintain an inventory of system components that are in scope for PCI DSS”. This includes both virtual and physical hardware and both custom and off the shelf software applications within the cardholder data environment. This is a key area where our team can help insure that the proper scope is included for compliance, without the vendor including more than what is necessary because they don’t know how to disqualify what is out of scope.
- Documentation must be maintained to show which PCI DSS requirements are managed by vendors, and each applicable vendor must sign off. This is a change from the past requirement of simply documenting your vendors.
- Merchants are required to “identify and evaluate evolving malware threats”. If recent breaches have taught us anything, it’s that no one is safe – therefore it’s critical to be monitoring the network for potential threats and investigating suspicious alerts. We know from our clients that monitoring logs is difficult for them to do consistently, and many do not have staff trained in IT security to know what to look for. We developed a solution to help with this requirement- ProVision Security Monitoring & Alerting. Anti-malware must also be locked to prevent users from disabling it.
- More focus on educating staff to understand and follow standards properly. Often the weakest link in the process is the human, and it’s usually a lack of education rather than malicious intent. The PCI Council is offering both instructor-led and eLearning PCI Awareness Training to to help meet the need for educating users and management.