Below, we list the highlights of PCI DSS version 3.0 that you need to know about.
PCI DSS v3.0 deadline
Those of you involved with payment card security will no doubt be aware that the Payment Card Industry Data Security Standard version 3.0 will come into effect January 1, 2015. The official PCI DSS v3.0 can be downloaded from the PCI Security Standards Council.
Merchants will need to adhere to the new version by their next annual validation. For example, if you have your business annual validation in December 2014, you won’t need to validate according to version 3.0 until December 2015.
Unfortunately, not all merchants will be lucky enough to wait until December 2015 – many will have to begin transitioning now so that they meet the deadline by early next year.
Education and awareness
The new standard is geared towards helping organizations better understand the intent of its requirements by driving education and building awareness with business partners and customers. Lack of education, coupled with poor implementation and maintenance of the PCI standard, has caused too many security breaches recently.
Organizations will be encouraged to take a more customized approach to common security problems which will give them greater flexibility in meeting the requirements.
Security as a shared responsibility
In an increasingly complex payment environment, more companies than ever have multiple points of access to cardholder data. Version 3.0 will help them understand their PCI DSS responsibilities.
Others important changes
- The requirement for a written penetration testing methodology.
- The introduction of new SAQs.
- The need for data flow and network diagrams.
- The revision of contractual arrangements with service providers.
- The requirement to implement controls for POS devices.
- The implementation of a business-as-usual approach to security.
As the deadline for transitioning to version 3.0 fast approaches, merchants should consider what they need to do now in order to be compliant with the new version of the Standard next year.
The PCI DSS v3.0 Documentation Toolkit is specifically designed to assist payment card-accepting organisations (merchants) to become compliant with the PCI DSS v3.0. Not only does it provide pre-written compliant documentation templates for all the mandatory policies and guidelines, it also contains a Gap Analysis Tool to identify where you need to make changes and assess your level of compliance against PCI DSS v3.0.
For further information on this service, or to make a general enquiry about PCI v3.0, contact IT Governance on firstname.lastname@example.org or 1-877-317-3454.
Further PCI v3.0 resources: