On the first day of this year, version 3.0 of the Payment Card Industry Data Security Standards become the standard. While the transition period took place over the past 14 months, some merchants are still struggling to understand what the new guidelines are exactly, let alone beginning to implement new internal policies and procedures. Even if an organization is not prepared, a Qualified Security Assessor will come knocking at some point. Therefore, it is crucial to learn about the differences and how to deal with the many changes found in PCI DSS 3.0. Unfortunately, there is no stopping PCI DSS 3.0, and there is little time to start complying, so let’s cover everything.
Forbes reported that PCI DSS 3.0 is part of the PCI’s mission to “enhance payment account data security by driving education and awareness of the PCI security standards.” Every three years, the PCI updates its guidelines after collecting input from QSAs, merchants and organizations.
“PCI DSS 3.0 introduces 96 new rules, all focusing on preventing data breaches.”
PCI DSS 3.0 comes at a time when payment card security is a hot topic. Recent data breaches called attention to lacking security standards across the retail industry, and many businesses could potentially put the blame on PCI 2.0. However, it is a bit late for pointing fingers, and PCI DSS 3.0’s 96 new rules should go a long way toward preventing a year like 2014.
According to the PCI Security Standards Council, PCI DSS 3.0 is based on the current landscape of payment security, but it also addresses the future of the industry. Specifically, it seeks to manage evolving threats and aligns with industry best practices as well as eliminates redundant requirements, which should make the guidelines less complex to understand. The PCI Security Standards Council is stressing that payment security should be considered “business as usual,” and their new guidelines demonstrate this by emphasizing documentation and management.
If all of this sounds intimidating to merchants, they do not need to worry because they are not alone in their lack of readiness. MSPMentor cited Proficio’s PCI DSS 3.0 survey that identified only 43 percent of 129 security and compliance professionals currently meet the new standards, while 34 percent of respondents stated they are not following the recently implemented guidelines and 23 percent said they do not know if they comply with PCI DSS 3.0. According to the source, challenges with PCI DSS 3.0 adoption include concerns with security and monitoring processes and completing a risk-assessment/penetration test.
There is good news, however. The PCI DSS 3.0 readiness survey found that 90 percent of respondents were moderately to highly confident that they will be fully compliant with PCI DSS 3.0 before the end of June. With a look at what experts have to say and some tips from the PCI Security Standards Council, these business can hopefully be ready before that date passes.
All about documentation
Isabel Bardsley-Garcia, QSA and PCI practice lead for the security consulting group within AT&T Consulting Solutions, told TechTarget that the most impactful changes for businesses found in PCI DSS 3.0 relates to the documentation of security policies and procedures. PCI DSS 3.0 requires merchants to create and write new operational processes that specifically outline how the guidelines are being enforced and how strategies are being implemented. Bardsley-Garcia explained to the source that the amount of preparation and paperwork necessary to remain PCI compliant is a burden, but the required cooperation among IT professionals and business leaders should help everyone understand their role in payment security.
A best practice here would be to remain very detailed in every aspect of documentation. When a QSA conducts interviews, business leaders will not know what to expect, so it is important to cover all the bases. Additionally, documenting processes and procedures should assist in the task of assigning ownership to security activities. If everyone knows their place, it will be unlikely for an organization to overlook any requirements.
Commitment to security
One obvious focus of PCI DSS 3.0 is security management. From monitoring to testing, the PCI Security Standards Council wants to make PCI compliance “business as usual” for all merchants. This means that companies will be adding security responsibilities to key organizational goals, placing equal importance on everything.
Instead of being about complying with PCI, PCI DSS 3.0 is more about assessing risks, mitigating threats, monitoring systems and performing reviews and tests. Security needs to be embedded into daily workflows and a concern for every employee.
“What the [PCI Security Standards] Council has tried to do with the new version of the standard is to make sure merchants ingrain PCI compliance with a lot of the changes that are often made in an environment,” Greg Rosenberg, QSA and security engineer at Trustwave Inc., told TechTarget. “The idea is to have IT staff ask the question, ‘How will this change impact security, compliance and risk?'”
The PCI Security Standards Council stressed the importance of keeping up with changes in the cybersecurity landscape, technology and organizational structure. Businesses will need to remain ready for everything that could possibly happen to ensure ongoing compliance with PCI DSS 3.0.
“The PCI Security Standards Council recommended exercising extra rigor when reviewing security and oversight of aging IT solutions.”
Organizationally, the PCI Security Standards Council suggested that businesses stay aware of anything that might potentially create non-compliance issues such as shifts in corporate culture or the acquisition of other entities. Additionally, changes in payment channels, third-party outsourcing agreements and existing contracts might cause certain procedures or policies to become non-PCI compliant. To avoid those problems, initial compliance strategies need to take have built-in processes that detect and respond to those risks.
Furthermore, some technologies might affect PCI DSS 3.0 compliance. The PCI Security Standards Council recommended exercising extra rigor when reviewing security and oversight of aging IT solutions. Similarly, when implementing new systems, IT professionals should double-check PCI DSS 3.0 guidelines to ensure there are no hindrances to security.
The main takeaway in regard to PCI DSS 3.0 should be that the cybersecurity landscape is constantly evolving. By embedding security into all business practices and goals, merchants can guarantee that they are always compliant with the new secure payment standards.
Is your business ready for PCI DSS 3.0 compliance?