PCI DSS version 3.0 : January 2015 Deadline Looms

PCI DSS 3.0 deadline

Merchants who submit annual SAQ’s can continue to validate compliance with 2.0 SAQs until January 1, 2015. If merchants annual validation occurs in December,they’re not mandated to validate with version 3.0 until December 2015.

Are you ready?  Every merchant is impacted by the update, which are considerable. The PCI DSS Quick Reference Guide is 40 pages so there will be no attempt to duplicate it here. Here’s some issues merchants mostly likely need to address:

  1. Maintain an inventory of system components that are in scope for PCI DSS and also further, protect devices from tampering. Merchants have to identify all software, hardware, networks, what it’s used for, why it’s needed. This is a difficult task for larger retail operations where equipment is regularly moved and replaced. To comply, there must be a plan to regularly inspect equipment with serial number verification.
  2. Ensure that related security policies and operational procedures are documented, in use, and known to all affected parties. Even if in place, rarely is the case where every employee is fully informed. Adding a component to HR employee reviews is the simplest way to initiate a system.
  3. Render PAN unreadable anywhere it is stored- the card number must be unreadable per 3.4.
  4. The CAV2/CVC2/CVV2/CID can never ever be stored. OK, this one is old, but it’s still abused so it’s being repeated again. It’s NOT OK to store if ‘for a while’.
  5. Control physical access for on-site personnel; access authorized and based on individual job function and revoked immediately upon termination.The vast majority of companies have little control over employee access by job function. Their equipment or software simply has too many limitations. Merchants need to micro manage what employees can do, and document each employees interaction ( who processed what transaction etc.)
Goals of the PCI Data Security Standard
  • Build and maintain a secure network
  • Protect cardholder data
  • Maintain a vulnerability management program
  • Implement strong access control measures
  • Regularly monitor and test networks
  • Maintain an information security policy
PCI: IS AN ongoing 3-step process
  • Assess – identifying cardholder data, taking an inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities.
  • Remediate – fixing vulnerabilities and not storing cardholder data unless you need it.
  • Report – compiling and submitting required reports to the acquiring bank and card brands you do business with.