The leading experts in campus-wide payment solutions to independent schools.


PCI 3.0 Changes to Prepare for Starting in January 2015

In January 2015, the first set of requirement changes will rollout for PCI-DSS. This is the first in a series of posts highlighting the new changes.

Starting in January 2015, several new changes will go into effect in order to remain PCI compliant. These changes will occur in two stages, with new requirements rolling out across the year based on priority and the amount of effort needed. To ensure that you are prepared for the changes set for January 1, ensure that your security and IT teams are adjusting your processes and standards.

PCI 3.0

Previously the PCI standards were updated on a two-year cycle, but as it begins to mature, it is now on a three-year development lifecycle. Not all sections have new requirements, but each have clarifications to previous sections.

The following are changes that you should be aware of:

New Requirements in PCI 3.0

Many of the changes between PCI 2.0 and 3.0 are considered common sense changes, and are to clarify and strengthen past requirements. Requirement additions will note whether they will go into effect on January 1 or July 1, 2015.

Changes to PCI Compliance Requirement 1

Install and maintain a firewall configuration to protect cardholder data.

  • Clarified that firewall and router standards have to be both documented and implemented. Effective January 1, 2015.

This means that a firewall must always be active, and if it is ever turned off, there must be a valid and documented reason for it. This is a similar requirement change to the virus protection section.

Changes to PCI Compliance Requirement 2

Do not use vendor-supplied defaults for system passwords and other security parameters.

All users are required to change vendor supplied (default) passwords. Some common default password examples are: admin, 1234, guest, password, root, etc. A new requirement has also been added to section two. The purpose for this is to support effective scoping practices.

  • Maintain an inventory of system components in scope for PCI DSS. Effective January 1, 2015.

Changes to PCI Compliance requirement 5

Protect all systems against malware and regularly update anti-virus software or programs.

includes two new sections. Similar to clarifications with firewalls in requirement 2, antivirus software must now be configured to always be updated, be active, and regularly scan for issues. If the antivirus software needs to be shut off, it must be approved by management and documented.

  • New requirement to evaluate evolving malware threats for any systems not considered to be commonly affected by malicious software. Effective January 1, 2015.
  • New requirement to ensure that anti-virus solutions are actively running (formerly in 5.2), and cannot be disabled or altered by users unless specifically authorized by management on a per-case basis. Effective January 1, 2015.

Ask a QSA

Changes to PCI Compliance Requirement 6

Develop and maintain secure systems and applications.

The clarifications and addition to requirement 6 focus on emerging threats.

  • New requirement for coding practices to protect against broken authentication and session management. Effective January 1, 2015.

Changes to PCI Compliance Requirement 8

Identify and authenticate access to system components.

There are two new sections for this requirement, and it focuses on non-password related security features such as physical security tokens, smart cards, and certificates.

  • New requirement where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.) that the mechanisms must be linked to an individual account and ensure only the intended user can gain access with that mechanism. Effective January 1, 2015.

Changes to PCI Compliance Requirement 9

Restrict physical access to cardholder data.

The purpose of these changes are to prevent or reduce tampering or replacement of point of sale (POS) or other devices. Among these changes are the need to keep an inventory of devices, regularly check devices for signs of tampering, and training personnel to be aware of suspicious behavior.

  • New requirement to control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination. Effective January 1, 2015.

Changes to PCI Compliance Requirement 11

Regularly test security systems and processes (penetration testing).

This particular change is noted to be the most rigorous and possibly costly, and has three new additions. The new penetration tests will focus on testing both inside and outside the network, reviewing threats and vulnerabilities experienced in the past 12 months, and industry-accepted approaches.

  • New requirement, if segmentation is used to isolate the CDE from other networks, to perform penetration tests to verify that the segmentation methods are operational and effective. Effective January 1, 2015.
  • New requirement to implement a process to respond to any alerts generated by the change-detection mechanism. Effective January 1, 2015.

Changes to PCI Compliance Requirement 12

Maintain a policy that addresses information security for all personnel. These changes maintain information about which PCI DSS requirements are managed by service providers and which are managed by the entity.

  • New requirement to maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity. Effective January 1, 2015.

PCI 3.0 Requirement Change Drivers

According to the PCI Security Standards Council, version 3.0 updates are based on feedback from the industry, per the standards development lifecycle, as well as in response to current market needs. Common challenge areas and drivers for change include:

  • Lack of education and awareness
  • Weak passwords, authentication
  • Third-party security challenges
  • Slow self-detection, malware
  • Inconsistency in assessments

For further details and information about these changes, see the PCI Security Standards Council change highlight document. For an introductory look at what PCI compliance is, and why it’s more than just a requirement, look at Trustwave’s PCI 101 series.

Questions? Speak With the Experts

On December 16 at 2 pm EDT, we will be hosting a webinar with Coalfire’s QSA. It’s free to attend, and is designed so that you can get all of your questions answered.

To get the latest PCI 3.0 update in your inbox each week, subscribe to our digest.