5 ways PCI is becoming more security-conscious next year

Here are the top five changes in the standard

The newest Payment Card Industry Data Security Standard was released this month, PCI DSS 3.0, and it is all about security instead of compliance.

That's according to a new report by Torsten George, vice president at Sunnyvale, CA-based security risk management vendor Agiliance, Inc.

The following are what George identifies as the top five changes in the standard:

The new standard is 24-7

The standard goes into effect on January 1. But while some of the requirements aren't mandated until July, companies shouldn't wait until then - or until their next audit - to start getting their house in order.

It makes no sense to have security systems in place and operational only while a company is being audited. The crooks, after all, aren't going to be polite and wait.

"An annual audit is not security, it's compliance," said Stephen Orfei, general manager at Wakefield, MA-based PCI Security Standards Council, LLC, which created the standard. "That's a checkbox mentality. Let's change the dialogue to one of security, and security has to be 24-7."

More education and awareness around passwords

Password management is one of the weaker areas for merchants, according to this year's Verizon report.

Using default passwords, weak passwords, reusing credentials for different systems or users, and not using two-factor authentication when appropriate are all still problems for many companies.

"You have default passwords being left behind and that's a huge vulnerability," said Orfei. "You have to have strong passwords, you have to change passwords, and make sure you have these routines daily. It's something you have to build into the DNA of the company, and you have to do it religiously."

Better vendor risk management

"A lot of attacks come through business partners or entities," said Orfei.

In the case of the Target breach, for example, the initial attack vector was the company's HVAC contractor.

Under the new standard, vendors must specify the specifics of the services that they are providing when they go through their PCI compliance checks, so that customers can confirm that they are in fact compliant for the things that the customers user them for.

The PCI Security Standards Council lists vendors and software that have already gone through reviews - but that doesn't mean that merchants can then stop worrying about them. They still need to ensure that the software and applications they use are implemented correctly, and that vendors are actually living up to the security promises they've made.

"You have to validate that things have been done properly," said Orfei.

New requirements for penetration testing

"We're advocating more pen testing," said Orfei.

Previously, the recommendation was an annual approach. Under the new standards, it's a quarterly recommendation, he said.

In addition, the new standard provides more information about what a penetration test should actually include.

"They've provided clarity - they've never before written it down," said Jeff Man, PCI security evangelist at Columbia, MD-based Tenable Network Security.

More systems covered

Previously, merchants could ignore systems that didn't hold card data or personally identifiable information.

Now, the PCI standard has expanded to include systems that say, might not actually store data, but would allow someone to look at data.

"This will result in more complex compliance assessments," said Agiliant's George in the report.

Join the CSO newsletter!

Error: Please check your email address.

Tags compliancePCI 3.0securitydata protectionPCI Security Standards Council

More about AgilianceInc.TenableTenable Network SecurityVerizonWakefield

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts