The Payment Card Industry Security Standards Council has called for a 'business as usual’ approach to PCI DSS compliance in the latest version of the Standard, due to come into force on 1 January 2015.
This deadline means that merchants and service providers required to comply with the PCI DSS will be assessed against the requirements of the new Standard when their next validation is due. The ‘business as usual’ approach has been introduced to help organisations take a proactive approach to protecting cardholder data with a focus on security, instead of following a ‘tick box’ approach to compliance.
In response to the growing urgency for organisations to take action and bring their systems, processes and procedures into line with the new requirements, IT Governance has launched a bespoke QSA-led PCI Transition Consultancy
service, available to service providers and merchants seeking authoritative advice and assistance with implementing the new version.
The changes introduced by version 3 have been categorised under three headings, namely ‘Clarification’, ‘Additional guidance’ and ‘Evolving requirements’, in order to provide further clarity to the often complex elements of the Standard.
Alan Calder, founder and chief executive of IT Governance
, says, “PCI DSS v3 requires companies to reassess their data protection strategies and implement interventions that embrace a comprehensive approach to security. The new Standard is aimed at bringing about greater consistency across PCI DSS assessors. Organisations without the necessary PCI expertise that are unsure about the new requirements should seek out professional guidance and support to ensure they are interpreting the Standard correctly.”
Some of the new requirements will require an extensive modification to existing processes or procedures, with the deadline for compliance to some of these due on 30 June 2015. Changes introduced by PCI DSS v3 include the need to review network and data flow diagrams (Req. 1.1.2, 1.1.3), the protection of card capture devices (Req. 9.9), the requirement to conduct an inventory of wireless access points (Req. 11.1.1), the need to review your service provider requirements (Req. 12.8.5, 12.9) and the introduction of a written penetration testing methodology (Req. 11.3).
Version 3 also requires that retailers, card processors and others in the payment supply chain invest more in threat monitoring, detection and response mechanisms.
Given the spate of high-profile card breaches in recent months, it is clear that organisations should undertake a careful and thorough review of their existing set of security solutions in order to not only comply, but also to avoid the excessive costs related to payment card-related data breaches.
Find out more about the PCI Transition consultancy at www.itgovernance.co.uk/shop/p-1674.aspx
Contact IT Governance for a quote on +44 (0)845 070 1750 and get your planning underway to meet your compliance obligations when your next audit or SAQ submission is due.