PCI DSS 3.0: Protect Your Data, Protect Your Reputation

After a year of headline-making security breaches, the changes in PCI DSS3.0 that went into effect on January 1, 2015, are welcomed by the payment card industry. The updates are clustered around three main themes: Education and Awareness, Flexibility, and Security as a Shared Responsibility.

Using those themes to guide changes, PCI DSS 3.0 focuses more on security and less on compliance. Educating employees at all levels of an organization fosters greater understanding of and adherence to security policies. Increasing flexibility in the framework allows businesses to customize solutions to fit their specific needs.  Treating security as a shared responsibility encourages business to work with all partners—internal and external—to protect customer data.

5 New Common Sense Requirements 

Some of the biggest breaches in the last year—Home Depot, Michaels, P.F. Changs, Staples, Sony—could have been avoided or lessened by the improvements in PCI DSS 3.0. Five of the most practical new requirements build on lessons learned from past breaches and can significantly enhance data security.

1. Evaluate evolving malware threats for systems not considered common targets for malicious software.
   Malicious actors know that security is strongest where people anticipate attacks. Increasingly, they are looking for obscure points of entry that have weaker security and less monitoring.
2. Anti-virus is active and cannot be disabled.
   It is not uncommon for people to try to disable anti-virus systems in the course of troubleshooting or when they think those systems are slowing them down in some way. Preventing people from disabling these systems is a low-cost, low-effort way of enhancing security.
3. Service providers with remote access must use unique authentication for each customer they access.
   Getting access to one set of credentials should not endanger hundreds of businesses. Requiring external partners to use unique credentials is another common sense step to help enhance the safety of customer data.
4. Control physical access to sensitive areas for onsite personnel.
   Just as employees can be lax about usernames and passwords, they can be lax with physical locks. Limiting access to only those who need it is an inexpensive, efficient way to protect.
5. Protect devices that capture payment card data via physical interaction with cards from tampering.
   Payment terminals are a favorite target of hackers and many offer even unsophisticated crooks an easy point of access. Protecting and monitoring these devices is crucial if you want to secure payment card data.

PCI DSS 3.0 Compliance is Better for Businesses and Customers

The revised framework contains dozens of changes and additions. While some are simple clarifications, others are significant changes from previous versions. Together, they provide more adaptability and security for your business and peace of mind for your customers.

Conducting a compliance assessment is the best way to ensure that your organization is benefiting from the added security and improved efficiency in PCI DSS 3.0. Securance has the knowledge and experience to conduct the assessment and help you leverage the flexibility of the framework to suit your business needs. Contact us for more information or to schedule a consultation.