Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

PCI-DSS 3.0: Three Things to Know to Ensure Compliance, Security and Business Agility

Since the initial release of PCI-DSS, networks, data centers and threats to cardholder data have continued to evolve, driving further refinement of the standard. While the initial PCI-DSS created a framework for its members to follow, it has evolved to address what we’ve learned from PCI implementations and gaps, as well as technological advances.

Since the initial release of PCI-DSS, networks, data centers and threats to cardholder data have continued to evolve, driving further refinement of the standard. While the initial PCI-DSS created a framework for its members to follow, it has evolved to address what we’ve learned from PCI implementations and gaps, as well as technological advances.

Now with the release of PCI 3.0 in effect starting January 1, 2014, organizations have a framework for payment security as part of their business-as-usual activities by introducing more flexibility, and an increased focus on education, awareness and security as a shared responsibility. This is an important change because PCI-DSS 3.0 focuses on security (as opposed to compliance) and how to make security part of your business processes. Here are three main concepts that PCI-DSS 3.0 attempts to address:

PCI DSS 3.0

1. Improving security education

The latest release of the PCI standard attempts to fix the lack of awareness around payment security and finds a better way of educating organizations on the goal of the requirements and how to properly implement and maintain controls throughout the network.

More organizations need to be made aware and educated of how their employees are involved in the payment chain; thus ensuring security standards are effectively implemented and followed. It’s not just about the security team putting controls in place, but also educating users where security is not top of mind. You’re only as good as your weakest link and employees all too often leave openings for attackers, whether by choosing poor passwords, clicking on malicious links, sharing sensitive information via social media, etc. It’s not just about having more layers of security, but also ensuring that employees involved in the payment chain understand the risks and what to do vs. what not to do.

It also addresses issues from poor implementation of the standards. Not knowing and understanding what is in your network can be detrimental to your customers’ payment information and also to your organization – do you know how data and traffic is flowing through your firewalls and routers?

2. Flexibility

An important update in PCI-DSS is the recognition that each corporate network and data center is unique and what may work to secure one environment may not be as effective in another. Some environments are all on premise while others are in the cloud (private, public or hybrid) or a hybrid of on and off-premise. There is no one size fits all in this evolving landscape. This is key because while PCI members, merchants, and service providers must have proper controls in place to protect cardholder data, they should have some flexibility to implement these controls in a way that makes sense for their business.

Advertisement. Scroll to continue reading.

3. Shared Responsibility

Security is no longer a one-team mentality, but rather a shared responsibility of many different roles. Shared responsibility means all the different people and teams within the organization as well as outside providers have accountability for the network’s overall security. This can be internal stakeholders such as application owners, database admins, network operations, security engineers, firewall administrators, etc. as well as outsourced third-parties that play a role in processing and storing cardholder data.

While outsourcing is a common practice and with more cloud deployments on the horizon, keep in mind that according to the PCI Council, 63 percent of investigations identifying a security gap exploited by attackers revealed a third party was responsible for system support, development or maintenance. Whether your cloud is a hosted solution, virtual, SaaS, IaaS, PaaS, your provider should also share responsibility when it comes to the security of your networks, data centers and ultimately card holder data.

All of the changes in PCI-DSS 3.0 are designed to address how networks and data centers have evolved and to not only improve security controls, but to build them into the fabric of your business. Ultimately, you must know what’s in your network and how data is flowing through your network, and ensure all of your key stakeholders are aligned to work together to ensure PCI compliance as well as a more secure and agile operation. Keep up the education and awareness, manage risk with the business in mind and you will be on well on your way.

Related Reading: The New Compliance Checklist

Related Reading: PCI DSS 3.0: The Impact on Your Security Operations

Related ReadingNew Changes to PCI Data Security Standard 3.0 Published

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...