How to Prepare Your Business for PCI DSS 3.0


Today credit card breaches are becoming widespread and affecting all retail organizations world-wide. After the recent retail store data breaches at Home Depot, Target, Michaels, and Kmart we see how cardholder data (CHD) has become an increasing target for cybercriminals. There is an increasing need for retailers to implement stronger security measures to protect their consumers’ data. Therefore, any retailers who handle and manages CHD are now required to comply with the Payment Card Industry Data Security Standard 3.0 (PCI DSS 3.0).

January 1, 2014, the PCI DSS 3.0 standard went into effect for all retailers, except for organization that meet the requirement and had complied with PCI DSS 2.0 were given an extension till January 1, 2015. The new updated standards help to provide a baseline security measure that will align all organizations with the industry best practices. The new standard is now forcing organizations to build these practices into their daily operations. Before, PCI DSS was a once-a-year auditing activity, where today retailers need to use this practice in their day-to-day business.

How Can Your Organization Prepare For PCI 3.0?

1. Your company needs to understand what requirements have evolved in PCI 3.0

Your IT administrator needs to map your current network environment for the new PCI DSS 3.0 requirements. Therefore, your company must prepare now to change from PCI DSS 2.0 to 3.0 requirements before the extended deadline of January 1, 2015. The new 3.0 requires businesses to add new security assessments and controls for all their network devices that include your network routers and firewalls. Your organization is now required to have special agreements set up between you and your third-party service providers that stipulates who is responsible for protecting cardholders data. Furthermore, there are new requirements for the protection of payment terminals and physical security.

2. Your IT department needs to build and implement a risk-based approach for your security

Your organization needs to build security risk measures into your daily business practices. This includes all your corporate wide practices that require you to maintain an inventory of all your system components that fall within the scope of PCI DSS. Your business has to make security a priority and have ongoing procedures for your PCI compliances. Therefore, the new PCI DSS 3.0 now requires businesses to have more frequent assessments and controls for their network environment.

3. Protect your client’s information that is stored on your network, especially their card data

Most retailers store sensitive credit card data that needs to be kept in a secure location with an encryption key to prevent access to the data. Many organizations store cardholder’s data on their servers, data warehouses, desktops, and backup systems. Therefore, you are responsible to keep tight controls on this sensitive information and know where all your cardholder’s data is stored. Furthermore, with the new PCI DSS it is up to your IT security administrator, to protect this data from unauthorized access.

4. Your IT security team needs to develop procedures to regularly test your security systems

The new PCI standards now require a quarterly scan of all your security systems. However, it is recommended that your IT department maintains a continuous security approach and monitor your network daily to ensure your security procedures are maintained continuously. Test your networks daily for threats outside and within your organization. Your internal and external networks need to be scanned daily for vulnerabilities. Your company needs vulnerability scanning products and services that will meet the new PCI stand requirements that address ongoing assessment of all your web applications.

5. Your company needs to maintain a vigilant policy compliance program

The new PCI standards require companies to meet certain demands for external and internal auditors. Therefore, you need to provide supporting evidence that your company is meeting the new complex industry standards and regulatory mandates. If your company maintains a vigilant policy compliance program that uses automated management processes you will reduce the risk to your network and comply with the new policies. The policy compliance program helps your IT security team to identify all key security settings within your network and helps you improve your PCI compliance.

Image: flickr.com

Recommended Posts | Network Management

Troubleshooting with the OSI Model

Troubleshooting with the OSI Model Still Effective

Network technology has changed considerably since the dawn of computer inter-networking. Early commercial networks used x.25, a protocol suite for packet switching. Originally designed to carry voice traffic, x.25 remains in use today for some automated teller machine or credit card verification ...
Network Time Servers

4 Key Points You Need to Know About Network Time Servers

Time servers are server computers which read actual time from reference clocks and feed this information to clients over networks. These devices may be local network time servers or internet time servers. There exist variety of protocols that are used for sending time signals over serial connections ...
Analytics 101

Analytics 101: Before Jumping Into the Data Game

Analytical tools for your company's website will become invaluable, but jumping headfirst into big data can be daunting for small business owners. The metrics that flood from analytics will provide a business with a variety of tools and data that will help them expand their online presence ...
Business Distaster Recovery Plan

Building a Business Distaster Recovery Plan

Right now is the most critical time of the year to worry about your company’s disaster recovery plan. It’s necessary to have a disaster recovery plan in place when a disaster strikes. Here is a very quick outline of ways to prepare for disasters affecting your business operations and data recover ...