PCI Compliance is integral to the security of data as regards all those organizations and companies that handle payments made via cards.
The PCI DSS ( Payment Card Industry Data Security Standard), which defines practices for protection against electronic fraud, is endorsed by leading credit card agencies and applies to all entities that process, store or transmit cardholder data. This would include banks, retailers, payment processors etc. PCI compliance is mandatory and failure to comply could invite fines and other actions. It’s therefore that companies do all that is needed, including going for the PCI SAQ, to ensure PCI compliance. (PCI SAQ is a document that merchants are required to complete every year and submit to their Acquiring Bank; the PCI SAQ helps ensure PCI compliance).
PCI DSS version 1.0 was released in December 2004, followed by versions 1.1, 1.2, 1.2.1, 2.0, 3.0, 3.1 and now 3.2.
PCI DSS 3.2: What’s new?
PCI DSS 3.2 comes with some significant changes being brought into the existing set-up. Let’s discusses some of the major changes that are being brought in…
PCI DSS 3.2, in a bid to ensure better PCI compliance, demands that it’s to be made sure that security controls are in place following changes that happen in the cardholder data environment. This is requirement 6.4.6 of PCI DSS 3.2. Troy Leach, Chief Technology Officer at PCI council had explained this in a blog that was published in the PCI Security Standards Council blog in April, when PCI DSS 3.2 was released. Says Troy Leach- “It is important to have a process to analyze how changes may impact the environment and the security controls that organizations rely on to protect cardholder data. Building this validation into change management processes helps ensure that device inventories and configuration standards are kept up to date, and security controls are applied where needed…A change-management process helps provide supporting evidence that PCI DSS requirements are implemented or preserved through the iterative process and simplify future PCI DSS compliance responsibilities…These changes also ensure organizations view security as an organic process that evolves with the company as an ongoing effort and not a yearly assessment to correct behavior”.
As per requirements 10.8 and 10.8.1, service providers need to detect and report on failures of critical security control systems. Troy Leach explains- “Without formal processes to detect and alert to critical security control failures as soon as possible, the window of time grows that allows attackers to identify a way to compromise the systems and steal sensitive data from the cardholder data environment.”
Requirements 12.11 and 12.11.1 demands that service providers perform quarterly reviews to confirm that personnel are following security policies and operational procedures.
Requirement 12.4.1 demands that executive management of service providers should establish responsibilities and a PCI compliance program.
Requirement 188.8.131.52 says that service providers need to perform penetration testing on segmentation controls every six months.
Getting familiar with the latest version is very important for companies who know how important PCI compliance is. In fact, all companies that deal with cardholders’ data should have PCI compliance. So now, whiletaking the SAQ next time, make sure you have complied with all the requirements mentioned in PCI DSS. It would make your job easy for you. It would make PCI compliance easily attainable for you.