The leading experts in campus-wide payment solutions to independent schools.
In January 2015, the first set of requirement changes will rollout for PCI-DSS. This is the first in a series of posts highlighting the new changes.
Starting in January 2015, several new changes will go into effect in order to remain PCI compliant. These changes will occur in two stages, with new requirements rolling out across the year based on priority and the amount of effort needed. To ensure that you are prepared for the changes set for January 1, ensure that your security and IT teams are adjusting your processes and standards.
Previously the PCI standards were updated on a two-year cycle, but as it begins to mature, it is now on a three-year development lifecycle. Not all sections have new requirements, but each have clarifications to previous sections.
The following are changes that you should be aware of:
Many of the changes between PCI 2.0 and 3.0 are considered common sense changes, and are to clarify and strengthen past requirements. Requirement additions will note whether they will go into effect on January 1 or July 1, 2015.
Install and maintain a firewall configuration to protect cardholder data.
This means that a firewall must always be active, and if it is ever turned off, there must be a valid and documented reason for it. This is a similar requirement change to the virus protection section.
Do not use vendor-supplied defaults for system passwords and other security parameters.
All users are required to change vendor supplied (default) passwords. Some common default password examples are: admin, 1234, guest, password, root, etc. A new requirement has also been added to section two. The purpose for this is to support effective scoping practices.
Protect all systems against malware and regularly update anti-virus software or programs.
includes two new sections. Similar to clarifications with firewalls in requirement 2, antivirus software must now be configured to always be updated, be active, and regularly scan for issues. If the antivirus software needs to be shut off, it must be approved by management and documented.
Develop and maintain secure systems and applications.
The clarifications and addition to requirement 6 focus on emerging threats.
Identify and authenticate access to system components.
There are two new sections for this requirement, and it focuses on non-password related security features such as physical security tokens, smart cards, and certificates.
Restrict physical access to cardholder data.
The purpose of these changes are to prevent or reduce tampering or replacement of point of sale (POS) or other devices. Among these changes are the need to keep an inventory of devices, regularly check devices for signs of tampering, and training personnel to be aware of suspicious behavior.
Regularly test security systems and processes (penetration testing).
This particular change is noted to be the most rigorous and possibly costly, and has three new additions. The new penetration tests will focus on testing both inside and outside the network, reviewing threats and vulnerabilities experienced in the past 12 months, and industry-accepted approaches.
Maintain a policy that addresses information security for all personnel. These changes maintain information about which PCI DSS requirements are managed by service providers and which are managed by the entity.
According to the PCI Security Standards Council, version 3.0 updates are based on feedback from the industry, per the standards development lifecycle, as well as in response to current market needs. Common challenge areas and drivers for change include:
For further details and information about these changes, see the PCI Security Standards Council change highlight document. For an introductory look at what PCI compliance is, and why it’s more than just a requirement, look at Trustwave’s PCI 101 series.
On December 16 at 2 pm EDT, we will be hosting a webinar with Coalfire’s QSA. It’s free to attend, and is designed so that you can get all of your questions answered.
To get the latest PCI 3.0 update in your inbox each week, subscribe to our digest.