PCI-DSS 3.0 Security Standards Just Released

Expanded requirements for malware threat detection, expanded testing procedures, improved physical access controls, and service provider agreement/acknowledgements

On November 7th, 2013 the PCI Security Standards council released the much anticipated update to the PCI-DSS Security Standards.  PCI-DSS 3.0 is here and organizations will need to begin the process of reviewing the new requirements and performing a gap analysis to address any deficiencies in operational and application security.

The PCI Security Standards Council updates its policies every three years.  With input from program participants, industry stakeholders and assessors, the council published their draft recommendations in Augusts and released the final policies on November 7th.  In the latest version of the standards, there are specific recommendations for making PCI-DSS “part of everyday business processes and best practices for maintaining ongoing PCI DSS compliance; guidance from the Navigating PCI DSS Guide built in to the standard; and enhanced testing procedures to clarify the level of validation expected for each requirement”.

PCI-DSS

  • Req. 5.1.2 – evaluate evolving malware threats for any systems not considered to be commonly affected
  • Req. 8.2.3 – combined minimum password complexity and strength requirements into one, and increased flexibility for alternatives
  • Req. 8.5.1 – for service providers with remote access to customer premises, use unique authentication credentials for each customer*
  • Req. 8.6 –    where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.) these must be linked to an individual account and ensure only the intended user can gain access
  • Req. 9.3 –    control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination
  • Req. 9.9 –    protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution*
  • Req. 11.3 & 11.3.4 – implement a methodology for penetration testing if segmentation is used to isolate the cardholder data environment from other networks, perform penetration tests to verify that the segmentation methods are operational and effective*
  • Req. 11.5.1-implement a process to respond to any alerts generated by the change-detection mechanism
  • Req. 12.8.5-maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity
  • Req. 12.9 –  for service providers, provide the written, agreement/acknowledgment to their customers as specified at requirement 12.8.2*

PA-DSS

  • Req. 5.1.5 – payment application developers to verify integrity of source code during the development process
  • Req. 5.1.6 – payment applications to be developed according to industry best practices for secure coding techniques
  • Req. 5.4  –   payment application vendors to incorporate versioning methodology for each payment application
  • Req. 5.5  –   payment application vendors to incorporate risk assessment techniques into their software development process
  • Req. 7.3  –   application vendor to provide release notes for all application updates
  • Req. 10.2.2-vendors with remote access to customer premises (for example, to provide support/maintenance services) use unique authentication credentials for each customer
  • Req. 14.1 –provide information security and PA-DSS training for vendor personnel with PA-DSS responsibility at least annually

*Indicates future dated requirements that are best practices until 01 July 2015

To access a more detailed summary of the changes from PCI DSS 2.0 to 3.0, or to download a copy of the complete PCI-DSS 3.0 Security Standards, please visithttps://www.pcisecuritystandards.org/security_standards/documents.php.

Phillip W. Duff

Phillip W. Duff the Founder of Lighthouse Consulting was trained in Six Sigma while working for Bombardier Capital in 2001, and is highly successful helping organizations improve their processes using the Six Sigma methodology. Mr. Duff has consulted with numerous companies over the last 10 years and has shown the ability to enact cultural change in a company. He has also initiated programs proven to drive positive revenue growth both as an employee and a consultant. His focus is to help CEO’s with a focus on growth. His knowledge of technology and background in debt collections have combined to help companies automate processes and identify which processes provide profits. Mr. Duff has also developed a unique process of initiating cultural change as a part of developing a revenue-driven atmosphere in a variety of formats. This unique philosophy and technique are unseen to date. His substantial experience in the collection industry, Six Sigma core competency and extensive industry relationships can provide you and your team a matchless perspective into your accounts receivable business or any business strategy.

More Posts - Website

Follow Me:
LinkedInGoogle PlusStumbleUpon

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *