How to Prepare Your Business for PCI DSS 3.0
Today credit card breaches are becoming widespread and affecting all retail organizations world-wide. After the recent retail store data breaches at Home Depot, Target, Michaels, and Kmart we see how cardholder data (CHD) has become an increasing target for cybercriminals. There is an increasing need for retailers to implement stronger security measures to protect their consumers’ data. Therefore, any retailers who handle and manages CHD are now required to comply with the Payment Card Industry Data Security Standard 3.0 (PCI DSS 3.0).
January 1, 2014, the PCI DSS 3.0 standard went into effect for all retailers, except for organization that meet the requirement and had complied with PCI DSS 2.0 were given an extension till January 1, 2015. The new updated standards help to provide a baseline security measure that will align all organizations with the industry best practices. The new standard is now forcing organizations to build these practices into their daily operations. Before, PCI DSS was a once-a-year auditing activity, where today retailers need to use this practice in their day-to-day business.
How Can Your Organization Prepare For PCI 3.0?
1. Your company needs to understand what requirements have evolved in PCI 3.0
Your IT administrator needs to map your current network environment for the new PCI DSS 3.0 requirements. Therefore, your company must prepare now to change from PCI DSS 2.0 to 3.0 requirements before the extended deadline of January 1, 2015. The new 3.0 requires businesses to add new security assessments and controls for all their network devices that include your network routers and firewalls. Your organization is now required to have special agreements set up between you and your third-party service providers that stipulates who is responsible for protecting cardholders data. Furthermore, there are new requirements for the protection of payment terminals and physical security.
2. Your IT department needs to build and implement a risk-based approach for your security
Your organization needs to build security risk measures into your daily business practices. This includes all your corporate wide practices that require you to maintain an inventory of all your system components that fall within the scope of PCI DSS. Your business has to make security a priority and have ongoing procedures for your PCI compliances. Therefore, the new PCI DSS 3.0 now requires businesses to have more frequent assessments and controls for their network environment.
3. Protect your client’s information that is stored on your network, especially their card data
Most retailers store sensitive credit card data that needs to be kept in a secure location with an encryption key to prevent access to the data. Many organizations store cardholder’s data on their servers, data warehouses, desktops, and backup systems. Therefore, you are responsible to keep tight controls on this sensitive information and know where all your cardholder’s data is stored. Furthermore, with the new PCI DSS it is up to your IT security administrator, to protect this data from unauthorized access.
4. Your IT security team needs to develop procedures to regularly test your security systems
The new PCI standards now require a quarterly scan of all your security systems. However, it is recommended that your IT department maintains a continuous security approach and monitor your network daily to ensure your security procedures are maintained continuously. Test your networks daily for threats outside and within your organization. Your internal and external networks need to be scanned daily for vulnerabilities. Your company needs vulnerability scanning products and services that will meet the new PCI stand requirements that address ongoing assessment of all your web applications.
5. Your company needs to maintain a vigilant policy compliance program
The new PCI standards require companies to meet certain demands for external and internal auditors. Therefore, you need to provide supporting evidence that your company is meeting the new complex industry standards and regulatory mandates. If your company maintains a vigilant policy compliance program that uses automated management processes you will reduce the risk to your network and comply with the new policies. The policy compliance program helps your IT security team to identify all key security settings within your network and helps you improve your PCI compliance.