Last month, the PCI Security Standards Council (PCI SSC) officially released the v3.0 compliance standards, but it will take some time before everyone involved (merchants, service providers and auditors) will have figured out how the new mandates will impact their organization.
The effective date of the v3.0 standard was January 1, 2014, but if you are compliant with v2.0, you will have a year to move to the new v3.0, and some of the changes will be a "best practice" for 6 more months until they become actual requirements June 1, 2015.
What gives PCI DSS more impact than most other regulations is that it concerns almost everyone. The levels of compliance vary based on the scope and size of each merchant. There are four levels, the highest being Level 1 which processes more than 6 million credit card transactions per year.
Depending on your volume of credit card transactions, you may only have to do the Self Assessment Questionnaire once per year. The PCI standard is not enforced by State or Federal agencies but by the credit card vendor. If you are found to violate PCI, you can get fines or potentially lose the ability to process credit cards altogether. (By the way, if regular audits are taking up too much of your time, you should check out the new KnowBe4 Compliance Manager.)
Obviously the overall goal is to protect card holder data. PCI may seem complicated but it can be boiled down to something relatively easy, just 12 rules that are grouped into 6 categories. Here are the 6 categories with the 12 rules as bullets:
1. Build and Maintain a Secure Network:
Install and maintain a firewall to protect cardholder data.
Do not use the default passwords put in by the vendor for anything.
2. Protect Cardholder Data
Protect stored cardholder data.
Encrypt cardholder data while it is transmitted across public networks.
3. Maintain a Vulnerability Management Program
Use antivirus that is regularly updated.
Develop and maintain secure systems and applications.
4. Implement Strong Access Control Measures
Restrict access to credit card data on a need to know basis.
Assign unique IDs to each person with computer access.
Restrict physical access to cardholder data.
5. Regularly Monitor and Test Networks
Monitor access to network resources and cardholder data.
Regularly test security systems and processes.
6. Maintain an Information Security Policy
Maintain an information security policy. (oh, and provide security awareness training to all employees!).
Does not seem too complicated, does it? However, they include hundreds of definitions and more detailed rules that you must follow to be compliant.
Remember: Security and Compliance Are Not The Same
You should really see PCI compliance as a baseline that needs to be maintained as much as possible. The Self Assessment Questionnaire (SAQ) is no more than a snapshot in time. The day after your SAQ, a major vulnerability may show up and you are again at risk until that is patched. Major data breaches like the recent Target hack painfully illustrate this.
The diagram here is a humoristic attempt to show the problem of confusing compliance with security. Yes, you need to be compliant. No, that does not mean your network is secure. Sometimes even, the effort of being compliant prevents you from spending the time to really keep your network secure. Over time though, the standards are being tweaked to address the rapidly changing threat landscape as well as merchant network and cardholder environments.
PCI DSS is a good methodology to help reduce risk and avoid data loss. And once you are compliant, you need to work every day to keep your network secure and stay compliant. Now, after this short intro, what is new in PCI 3.0? Tripwire took the 12 rules you just saw above, and listed what is new. Here is their quite useful Infographic: