Home » Defense in Depth

Ready For PCI DSS 3.0?

Posted 28 Dec 2014 | Comments Off on Ready For PCI DSS 3.0? | 1,779 views

Credit card data breaches are be becoming more prevalent in the news. Breaches result in lost time, money, and reputation for everyone except the hacker. Vigilance is critical.

Vendors have until January 1st to be compliant with the latest PCI Data Security Standard.  PCI DSS 3.0 was officially released on January 1st 2014; however, existing compliant organizations received a one year reprieve to move to the new standard. The specification includes many clarifications and a few new requirements.

Documentation has always been a critical aspect of IT services. The new spec clarifies what must be included in the network diagram and also adds a requirement that data flows for cardholder data must be included. Router and firewall configurations must be _documented and implemented_.

Code development and change management are also addressed in the new specification. Organizations must implement secure coding practices and also keep up with emerging threats. Organizations must also keep an inventory of all system components that are used to define configuration standards. Yes, it’s another documentation requirement. The spec includes a renewed focus on penetration testing. Organizations must document and adhere to their penetration testing methodologies.

Merchants and service providers cannot simply run a vulnerability scan and generate a report to be compliant. Full compliance is an ongoing process with continual gap analysis and threat assessment. Is your company ready?

Comments are closed.