In today’s global marketplace, credit card breaches are widespread, affecting everyone from small and medium-sized businesses to Fortune 100 corporations. As we’ve seen with recent retail breaches at Home Depot, Kmart, Target, Michaels and others, cardholder data (CHD) has become a more prevalent target, and there’s an increasing need to implement stronger security measures to protect consumers and their data. Businesses that manage CHD are required to comply with the Payment Card Industry Data Security Standard 3.0 (PCI DSS 3.0).
The PCI DSS 3.0 standard was effective January 1, 2014, however, organizations that were compliant with the requirements in PCI DSS 2.0 have an extended deadline and must comply with the new standard by January 1, 2015. The updated standards provide baseline security measures to align organizations more closely with industry best practices, and drive them to build the practices into their daily operations. PCI DSS is no longer a once-a-year auditing activity. It’s now a continuous day-to-day practice. In this slideshow, cloud security vendor Qualys provides five tips to prepare your business for PCI 3.0.
Preparing for PCI DSS 3.0 Compliance
Click through for five tips that can help organizations prepare for PCI DSS 3.0’s updated requirements, which become mandatory January 1, 2015, as identified by Qualys.
Understand What Requirements Have Evolved
Map your current environment to the new PCI DSS 3.0 requirements. The changes between the PCI DSS 2.0 and 3.0 requirements can be daunting if your organization is not prepared to implement the changes by the deadline. Build a plan to identify any new changes in your current environment that may require time and planning to implement by the January 1, 2015 deadline. For example, additional requirements and clarifications in the new standard significantly expand the scope of systems requiring security assessment and controls, including coverage of network devices like routers and firewalls.
According to an eWeek article on PCI DSS 3.0:
One of the new best practices that will not be required until 2015, Troy Leach, CTO of PCI SSC, told eWEEK, is a need for agreements between merchants and third-party service providers about the responsibilities of protecting cardholder data. Another area that will be an initial best practice is requirement 9.9, which stipulates further requirements around the inspection of physical security and protection for payment terminals.
Implement a Risk-Based Approach to Security
Build security risks into your business practices daily. This is true of any corporate-wide policies in place and it’s critical to understand, identify and maintain an inventory of system components in scope for PCI DSS. Don’t just rely on a “compliance checklist.” In order to remain fully compliant in the long term, organizations must treat compliance as an ongoing process across all business units and make security a priority, rather than a one-time “set it and forget it” project. PCI DSS 3.0 has introduced additional requirements and recommendations requiring more frequent and thorough assessment of controls in your environment.
Protect Stored Card Data
If your organization does store sensitive credit card data, be sure to keep it to a minimum and add additional controls such as encryption to prevent access to the data. Organizations are often not aware they hold cardholder data in data warehouses, servers, backup systems, desktops or other systems. Understand where your cardholder data is stored and protect it from unauthorized access.
Another option to consider is implementing tokenization. Learn more about Using Tokenization for Superior Data Security.
Regularly Test Security Systems and Processes
PCI standards only require a quarterly scan of security systems, so it’s a good idea to take a continuous security approach to regularly monitor and ensure the effectiveness of your organization’s security controls are maintained on a continual basis. Threats come from within and outside the organization, so it’s important to test both internal and external networks daily. Use vulnerability scanning products and services including web application scanning to address ongoing assessment of web applications and fulfill PCI requirements. The result will be increased accuracy, improved efficiency and significant time and cost savings.
Maintain a Vigilant Policy Compliance Program
Organizations are required to meet the demands of internal and external auditors by providing evidence on how they meet the complex requirements of multiple regulatory mandates, industry standards, and compliance frameworks. By maintaining a vigilant policy compliance program using automated management processes, companies can reduce risk and continuously provide proof of compliance demanded by auditors across multiple compliance initiatives. As an added bonus, a policy compliance program helps identify and assess key security settings in your systems, which indirectly helps improve PCI compliance.