PCI DSS 3.0: New and updated requirements

  • Team Omega
  • February 13, 2014

This was listed in one of the articles about updates on PCI DSS 3.0.  There is too much going on in the retail world with constantly increasing breaches, both high and low profile ones.  Hence all the fuss about data security and compliance.  Coincidentally, this is the year for transitioning to PCI DSS 3.0 as well.  Although PCI DSS 2.0 is valid until end of 2014, retailers, managed security service providers (MSSPs) and Qualified Security Assessors (QSAs) have to all be thinking about the road ahead starting now.

Req. 5.1.2 – Evaluate evolving malware threats for any systems not considered to be commonly affected
Req. 8.2.3 – Combined minimum password complexity and strength requirements into one, and increased flexibility for alternatives
Req. 8.5.1 – For service providers with remote access to customer premises, use unique authentication credentials for each customer*
Req. 8.6 – Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.) these must be linked to an individual account and ensure only the intended user can gain access
Req. 9.3 – Control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination
Req. 9.9 – Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution*
Req. 11.3 – 4 – Implement a methodology for penetration testing; if segmentation is used to isolate the cardholder data environment from other networks, perform penetration tests to verify that the segmentation methods are operational and effective*
Req. 11.5.1 – Implement a process to respond to any alerts generated by the change-detection mechanism
Req. 12.8.5 – Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity
Req. 12.9 – For service providers, provide the written, agreement/acknowledgment to their customers as specified at requirement 12.8.2*

*Denotes a future-dated requirement that is a best practice until 15 July 2015.

Omega ATC as a Level 1 certified service provider is in the business of helping retailers prepare for QSA audits start to finish. Get in touch with Omega.  Now is the right time to get started.