The Payment Card Industry Security Standards Council has published the latest version of the data security standards it administers and highlighted what is new.
Version 3.0 of the PCI Data Security Standard (PCI DSS) that govern providers of payment applications are available on the council’s website.
Version 3.0 becomes effective on 1 January 2014, but V2.0 will remain active until 31 December 2014 to ensure organisations have adequate time to make the transition.
The latest version is aimed at helping organisations make payment security part of their business-as-usual activities by introducing more flexibility.
There is also an increased focus on education, awareness and security as a shared responsibility.
New requirements for PCI DSS include:
- 5.1.2 – evaluate evolving malware threats for any systems not considered to be commonly affected;
- 8.2.3 – combined minimum password complexity and strength requirements into one, and increased flexibility for alternatives;
- 8.5.1 – for service providers with remote access to customer premises, use unique authentication credentials for each customer;
- 8.6 – where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates) these must be linked to an individual account and ensure only the intended user can gain access;
- 9.3 – control physical access to sensitive areas for onsite personnel, including a process to authorise access, and revoke access immediately upon termination;
- 9.9 – protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution;
- 11.3 and 11.3.4 – implement a methodology for penetration testing. If segmentation is used to isolate the cardholder data environment from other networks, perform penetration tests to verify that the segmentation methods are operational and effective;
- 11.5.1 – implement a process to respond to any alerts generated by the change-detection mechanism;
- 12.8.5 – maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity;
- 12.9 – for service providers, provide the written, agreement/acknowledgment to their customers as specified at requirement 12.8.2.
Ensure PCI DSS Compliance with HANDD
HANDD Business Solutions offer a range of data security solution to help achieve PCI DSS compliance, which we have categorised across our 4 data centric solution areas of Data Identify, Data Exchange, Data Secure and Data View.
Our solutions include, but are not limited to: Data Classification, Access & Permission Management, SSH Key Management, Secure and Managed File Transfer, Data Integration, Data Automation, EDI, Secure Email, File Encryption, Data Loss Prevention, Mobile Security, Data Visibility, Data Monitoring & Data Reporting.
Alongside our software solutions, we provide a number of services including consultation, implementation, training, as well as global 24/7 support from our UK headquarters.
If you require expert PCI DSS consultation and advice, you can contact our security experts on +44 (0)845 643 4063 or via email at firstname.lastname@example.org
Article Source: ComputerWeekly.com