PCI DSS Version 3.0: Still No Need to Worry


The PCI Security Standards Council oversees the development of payment card industry data security standards.

Last week, I blogged about the upcoming new Payment Card Industry Data Security Standards (PCI DSS) Version 3.0 updates from the PCI Security Standards Council (PCI SSC). I thought it might be a good idea if I gave a little more reassurance, just in case you’re still worried. 

Yes, there will be tweaks to specific requirements. You can review them all in the PCI Data Security Standard and Payment Application Data Security Standard proposal, Version 3.0 Change Highlights. Of course, the final word comes with the official announcement, but here are a few of the more significant changes we can expect.

  • Data Flow Diagram: Have a current diagram that shows cardholder data flow, to clarify data flow importance as a component of network diagrams.
  • In-Scope Systems: Maintain an inventory of system components in scope for PCI DSS to support effective scoping practices.
  • Vulnerabilities Assessments: Align threat prevention programs with OWASP, NIST, SANs, Carnegie Mellon CERT, etc. and maintain an updated list of common vulnerabilities for inclusion in secure coding practices—to keep current with emerging threats. Evaluate evolving malware threats for systems not commonly effected by malware to promote due diligence to protect systems.
  • Penetration Testing Methodology: Implement a methodology for penetration testing to address the need for more detailed penetration tests, more stringent scoping verification and to achieve quality and consistency in assessment results.
  • Penetration Testing Verification: Mandates that penetration tests are performed to verify segmentation methods are operational and effective.
  • Protect Terminals. Provide oversight of POS terminals and devices to address the need for physical security of payment terminals to effectively thwart tampering, substitution, skimming, theft and other physical attacks.
  • Service Provider Engagements: Identify and list PCI DSS compliance requirements managed by third party service providers and the requirements managed by the entity. Clearly state service provider responsibilities for card data when it is in their possession and for maintaining compliance to PCI DSS standards for the term of the contract.
  • Reporting: New reporting requirements are intended to ensure consistency in audits and changes to the Report on Compliance (ROC) reporting section will simplify and streamline the test reporting process.

Don’t forget, the transition should be pretty painless, and that’s why we’re here. As a certified PCI DSS Version 2.0 “Level 1” service provider, we’re planning to transition to Version 3.0. And we’re here to help ensure you maintain your compliance requirements, too. Just click here to talk to a trusted Windstream advisor.

I’ll be back here, blogging about any changes to the proposed requirements, so check back soon. Even if it’s just to read that “still no reason to worry” promise.