PCI DSS 3.0 highlights

  • Team Omega
  • January 7, 2014

1. More rigorous penetration testing
Controls 11.3 and 11.3.4 now require merchants to verify methods used to segment the cardholder data environment (CDE) from other areas.

2. Inspecting POS systems regularly
Requirement 9.9 now mandates that merchants protect point-of-sale POS devices and have regular on-site inspection of POS systems to identify tampering and device substitution.  Also, assessors who do the validation and testing require to “verify that a list of hardware and software components is maintained and includes a description of function/use for each”; so, not only do merchants need to document all the components in the CDE, but they also need to document what those components do and why.

3. Avoiding service provider non-compliance
Requirement requires providers to use unique authentication credentials when remotely accessing customer environments, and Requirement 12.9 clarifies that providers must give customers written documentation stating they are responsible for the cardholder data that they handle.  The IT group or individual that handles the card data environment for merchants may also be affected by several other changes, most notably Requirement 11.5.1, which requires a process be implemented to respond to change-detection alerts in the cardholder data environment.

4. Antimalware
Requirement 5.1 mandates merchants evaluate malware threats on systems that are not generally affected by malware.  This means that merchants should have a process in place to make sure of this on an ongoing basis.  Requirement 5.3 now mandates specific authorization from management to disable or alter the operation of antivirus mechanisms, as well as that the disabling be time-limited.

5. Physical access and point of sale
Requirement 9.3  in PCI DSS 3.0 requires that merchants control physical access for on-site personnel, that access be authorized and based on individual job function and that access be revoked immediately upon termination. Requirement 9.9 now requires that merchants “protect devices that capture payment card data … from tampering and substitution.”

If you require assistance on addressing the gaps in your environment, contact Omega ATC.