The updated PCI 3.2 requirements are coming to a head with a deadline this February 1st, 2018. While we’re sure that you’ve already started preparing for these new requirements, there may still be some areas that need more attention. This blog post is a quick list of the new requirements found on PCI DSS version 2, and how NopSec can help you get some them in place quickly before the deadline.
Requirement 3: Protect stored cardholder data
- PCI DSS Requirement 3.5.1 [For service providers only]. This requirement requires organizations to maintain a documented description of their cryptographic architecture.
Requirement 6: Develop and maintain secure systems and applications
- PCI DSS Requirement 6.4.6: Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable.
Requirement 8: Assign a unique ID to each person with computer access
- PCI DSS Requirement 8.3.1: Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication
Requirement 10: Track and monitor all access to network resources and cardholder data
- PCI DSS Requirement 10.8 [For service providers only] Implement a process for the timely detection and reporting of failures of critical security control systems, including but not limited to failure of firewalls, IDS/IPS, FIM, Anti-virus, Physical access controls, Logical access controls, Audit logging mechanisms, Segmentation controls (if used) and more.
- PCI DSS Requirement 10.8.1 [For service providers only]: Respond to failures of any critical security controls in a timely manner
Requirement 11: Regularly test security systems and processes
- PCI DSS Requirement 11.2.1 All “high risk” vulnerabilities must be addressed in accordance with the entity’s vulnerability ranking (as defined in Requirement 6.1), and verified by rescans.
- PCI DSS Requirement 11.3.4.1 [For service providers only]: If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentations controls/methods.
Requirement 12: Maintain a policy that addresses information security for all personnel
- PCI DSS Requirement 12.4.1 [For service providers only]: Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program
- PCI DSS Requirement 12.11 [For service providers only]: Perform reviews at least quarterly to confirm personnel are following security policies and operation procedures.
- PCI DSS Requirement 12.11.1 [For service providers only]: Maintain documentation of quarterly review process.
- Appendix A2: This applies to entities using SSL/early TSL as a security control to protect the CDE and/or CHD
For Requirements 6.4.6 and 11.3.4.1 specifically, NopSec can help you perform Penetration Testing to ensure that you’re compliant and fulfilling the requirements of the updated regulations.
Ultimately, PCI DSS 3.2 requirements are all about shifting from a compliance mindset to that that of best practices and thinking “beyond compliance.” Once you adopt that mentality, compliance naturally follows (or at least you’ll be closer to it and the gap to fill would be smaller).
To discuss how PCI DSS requirements apply to your organization’s unique IT Security environment and challenges, reach out to us at hello@nopsec.com or call 646-502-7900.