Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

PCI-DSS 3.0: Three Things to Know to Ensure Compliance, Security and Business Agility

Since the initial release of PCI-DSS, networks, data centers and threats to cardholder data have continued to evolve, driving further refinement of the standard. While the initial PCI-DSS created a framework for its members to follow, it has evolved to address what we’ve learned from PCI implementations and gaps, as well as technological advances.

Since the initial release of PCI-DSS, networks, data centers and threats to cardholder data have continued to evolve, driving further refinement of the standard. While the initial PCI-DSS created a framework for its members to follow, it has evolved to address what we’ve learned from PCI implementations and gaps, as well as technological advances.

Now with the release of PCI 3.0 in effect starting January 1, 2014, organizations have a framework for payment security as part of their business-as-usual activities by introducing more flexibility, and an increased focus on education, awareness and security as a shared responsibility. This is an important change because PCI-DSS 3.0 focuses on security (as opposed to compliance) and how to make security part of your business processes. Here are three main concepts that PCI-DSS 3.0 attempts to address:

PCI DSS 3.0

1. Improving security education

The latest release of the PCI standard attempts to fix the lack of awareness around payment security and finds a better way of educating organizations on the goal of the requirements and how to properly implement and maintain controls throughout the network.

More organizations need to be made aware and educated of how their employees are involved in the payment chain; thus ensuring security standards are effectively implemented and followed. It’s not just about the security team putting controls in place, but also educating users where security is not top of mind. You’re only as good as your weakest link and employees all too often leave openings for attackers, whether by choosing poor passwords, clicking on malicious links, sharing sensitive information via social media, etc. It’s not just about having more layers of security, but also ensuring that employees involved in the payment chain understand the risks and what to do vs. what not to do.

It also addresses issues from poor implementation of the standards. Not knowing and understanding what is in your network can be detrimental to your customers’ payment information and also to your organization – do you know how data and traffic is flowing through your firewalls and routers?

2. Flexibility

An important update in PCI-DSS is the recognition that each corporate network and data center is unique and what may work to secure one environment may not be as effective in another. Some environments are all on premise while others are in the cloud (private, public or hybrid) or a hybrid of on and off-premise. There is no one size fits all in this evolving landscape. This is key because while PCI members, merchants, and service providers must have proper controls in place to protect cardholder data, they should have some flexibility to implement these controls in a way that makes sense for their business.

Advertisement. Scroll to continue reading.

3. Shared Responsibility

Security is no longer a one-team mentality, but rather a shared responsibility of many different roles. Shared responsibility means all the different people and teams within the organization as well as outside providers have accountability for the network’s overall security. This can be internal stakeholders such as application owners, database admins, network operations, security engineers, firewall administrators, etc. as well as outsourced third-parties that play a role in processing and storing cardholder data.

While outsourcing is a common practice and with more cloud deployments on the horizon, keep in mind that according to the PCI Council, 63 percent of investigations identifying a security gap exploited by attackers revealed a third party was responsible for system support, development or maintenance. Whether your cloud is a hosted solution, virtual, SaaS, IaaS, PaaS, your provider should also share responsibility when it comes to the security of your networks, data centers and ultimately card holder data.

All of the changes in PCI-DSS 3.0 are designed to address how networks and data centers have evolved and to not only improve security controls, but to build them into the fabric of your business. Ultimately, you must know what’s in your network and how data is flowing through your network, and ensure all of your key stakeholders are aligned to work together to ensure PCI compliance as well as a more secure and agile operation. Keep up the education and awareness, manage risk with the business in mind and you will be on well on your way.

Related Reading: The New Compliance Checklist

Related Reading: PCI DSS 3.0: The Impact on Your Security Operations

Related ReadingNew Changes to PCI Data Security Standard 3.0 Published

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights