Countdown to PCI DSS 3.0 : Lessons Learned from Early Adopters

PCI DSS 3.0As most of us know, the PCI DSS assessment effectively moved from version 2.0 to 3.0 at the beginning of 2014.  The new 3.0 version raises security standards to help organizations focus more on the actual payment security aspect rather than the compliance itself.  Having performed many PCI DSS 3.0 assessments this year, we want to share what we’ve learned from working with these early adopter clients.

PCI DSS 3.0 is much more granular than the previous version

The new version eliminates many of the broad-based subjective decisions by the assessor and requires precise information to satisfy each applicable control.  Version 3.0 was designed to give a full accounting of the Cardholder Data Environment (CDE), detailing exactly the Who, What and How in regards to its protection.  It also strengthened controls around segmentation, vendor management and awareness training that can be challenging if you have not prepared before the assessment.  

In PCI DSS 3.0, there has been renewed emphasis placed on network segmentation to isolate the CDE from the rest of the network and reduce the scope of the PCI DSS assessment.  Firewalls with comprehensive rule sets need to be strategically placed to segment the network internally and effectively reduce scope.  Access controls are also a focal point because many organizations use a single domain controller for authentication within the CDE.  Active Directory controls authentication to the PCI DSS related systems within the CDE and all other Windows systems in the environment.  The problem is that even with very limited connections and locked-down firewall rules, access has to be granted to the domain controller and other support servers bringing them into the scope of the PCI DSS assessment.

Service providers are also playing a larger role in PCI DSS compliance.  With many organizations placing their CDE in data centers, service providers have emerged as key components in achieving PCI DSS compliance. Service providers are actively obtaining compliance to provide a higher level of comfort to their clients prior to managing or placing equipment in the facility. 

What organizations can expect from PCI DSS 3.0

Existing PCI DSS compliant organization can expect a thorough examination with a high level of detail for each applicable control.  The controls for each of the 12 testing requirements fall into the following categories:

  • ClarificationClarifies intent of requirement.  Ensures that concise wording in the standard portrays the desired intent of requirements.
  • Additional guidanceExplanation, definition and/or instruction to increase understanding or provide further information or guidance on a particular topic.
  • Evolving RequirementChanges to ensure that the standards are up to date with emerging threats and changes in the market.

The result is a more comprehensive testing platform that ensures true PCI DSS compliance.  New clients in need of PCI DSS compliance may want to consider having a readiness assessment to accurately evaluate the scope and preparedness of their entire environment.  Existing clients should spend time consulting with their QSA firm to get a better understanding of the new requirements and the level of detail needed to become compliant with PCI DSS 3.0.

PCI DSS 3.0 will be mandatory after December 31, 2014

The end result of the new standard is that a far more superior report on compliance can be issued and the report itself more accurately depicts the protected cardholder data environment.  Given the deadline above, it is imperative that companies who have not been assessed under the new standards start preparing to become compliant as soon as possible.

Let A-LIGN answer any of your questions you may have about PCI DSS 3.0 at no cost. Call us at 888-702-5446 or email us at [email protected].

Author:  Vincent Booker, Senior Consultant

Picture:  Sean MacEntee