Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

PCI-DSS 3.0: Three Things to Know to Ensure Compliance, Security and Business Agility

Since the initial release of PCI-DSS, networks, data centers and threats to cardholder data have continued to evolve, driving further refinement of the standard. While the initial PCI-DSS created a framework for its members to follow, it has evolved to address what we’ve learned from PCI implementations and gaps, as well as technological advances.

Since the initial release of PCI-DSS, networks, data centers and threats to cardholder data have continued to evolve, driving further refinement of the standard. While the initial PCI-DSS created a framework for its members to follow, it has evolved to address what we’ve learned from PCI implementations and gaps, as well as technological advances.

Now with the release of PCI 3.0 in effect starting January 1, 2014, organizations have a framework for payment security as part of their business-as-usual activities by introducing more flexibility, and an increased focus on education, awareness and security as a shared responsibility. This is an important change because PCI-DSS 3.0 focuses on security (as opposed to compliance) and how to make security part of your business processes. Here are three main concepts that PCI-DSS 3.0 attempts to address:

PCI DSS 3.0

1. Improving security education

The latest release of the PCI standard attempts to fix the lack of awareness around payment security and finds a better way of educating organizations on the goal of the requirements and how to properly implement and maintain controls throughout the network.

More organizations need to be made aware and educated of how their employees are involved in the payment chain; thus ensuring security standards are effectively implemented and followed. It’s not just about the security team putting controls in place, but also educating users where security is not top of mind. You’re only as good as your weakest link and employees all too often leave openings for attackers, whether by choosing poor passwords, clicking on malicious links, sharing sensitive information via social media, etc. It’s not just about having more layers of security, but also ensuring that employees involved in the payment chain understand the risks and what to do vs. what not to do.

It also addresses issues from poor implementation of the standards. Not knowing and understanding what is in your network can be detrimental to your customers’ payment information and also to your organization – do you know how data and traffic is flowing through your firewalls and routers?

2. Flexibility

An important update in PCI-DSS is the recognition that each corporate network and data center is unique and what may work to secure one environment may not be as effective in another. Some environments are all on premise while others are in the cloud (private, public or hybrid) or a hybrid of on and off-premise. There is no one size fits all in this evolving landscape. This is key because while PCI members, merchants, and service providers must have proper controls in place to protect cardholder data, they should have some flexibility to implement these controls in a way that makes sense for their business.

3. Shared Responsibility

Security is no longer a one-team mentality, but rather a shared responsibility of many different roles. Shared responsibility means all the different people and teams within the organization as well as outside providers have accountability for the network’s overall security. This can be internal stakeholders such as application owners, database admins, network operations, security engineers, firewall administrators, etc. as well as outsourced third-parties that play a role in processing and storing cardholder data.

While outsourcing is a common practice and with more cloud deployments on the horizon, keep in mind that according to the PCI Council, 63 percent of investigations identifying a security gap exploited by attackers revealed a third party was responsible for system support, development or maintenance. Whether your cloud is a hosted solution, virtual, SaaS, IaaS, PaaS, your provider should also share responsibility when it comes to the security of your networks, data centers and ultimately card holder data.

All of the changes in PCI-DSS 3.0 are designed to address how networks and data centers have evolved and to not only improve security controls, but to build them into the fabric of your business. Ultimately, you must know what’s in your network and how data is flowing through your network, and ensure all of your key stakeholders are aligned to work together to ensure PCI compliance as well as a more secure and agile operation. Keep up the education and awareness, manage risk with the business in mind and you will be on well on your way.

Related Reading: The New Compliance Checklist

Related Reading: PCI DSS 3.0: The Impact on Your Security Operations

Related ReadingNew Changes to PCI Data Security Standard 3.0 Published

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Risk Management

CISA has published a report detailing the cybersecurity risks to the K-12 education system and recommendations on how to secure it.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...