By Sam Pfanstiel, Solutions Engineer, Bluefin
In my last blog, I discussed the specific drivers behind the new PCI-DSS 3.0 standard, and how the PCI community has refined the standard that is due to be released next month. In this post, I will go into more detail on the specific changes so that you and your organization can better prepare for the new standard.
Changes from 2.0 to 3.0.
The following list represents most of the changes that you can expect with the coming standard. Keep in mind that some of these may only represent textual clarifications, while others may require increased scrutiny to ensure that your organization remains compliant under the new standard:
1. Cardholder data environment diagram must now show the flow of cardholder data. (Requirement #1)
2. Maintain full inventory of all components that may be in scope, including cryptography keys and certificates. (Requirement #2)
3. Additional flexibility on the use of cryptography keys as well as more clarifying information on dual access controls. (Requirement #3)
4. Increased awareness of malware threat as this threat is now affecting more insecure systems. (Requirement #5)
5. Addition of new authentication methods such as tokens, smart cards, and certificates, as well as greater flexibility on password complexity. (Requirement #8)
6. Addition of physical security requirements for POS terminals. Physical tampering is further addressed by the P2PE standard, but is now making its way into the DSS to ensure that access to card readers is limited. (Requirement #9)
7. Addition of a new penetration testing method to ensure network segments are properly protected. (Requirement #11)
8. Clarify which requirements fall under third-party service providers to better ensure no security requirements are overlooked during the hand-off. (Requirement #12)
9. Approved Scanning Vendors (ASVs) will now be required to put more emphasis on the quality and consistency of their scans.
10. Qualified Security Assessors (QSAs) will now undergo greater scrutiny on their reports, and thus will be more thorough in their audits.
In addition to these changes, the new specification also includes an updated list of vulnerabilities based on emerging threats, additional best practice recommendations, and some reorganization of the document as a whole in order to place policies and requirements closer to the technical systems to which they relate.
Other Coming Changes
In addition to the changes to the DSS standard discussed, the PCI council was also eager to announce upcoming specification changes for PA-DSS, which will come out at the same time and run parallel to many of the changes above. Further, the community is eagerly awaiting the announcement of the first fully validated P2PE Solution (and we are happy to announce that Bluefin is still in the running!). Finally, a new standard may be revealed that will affect the way that service providers provide tokenization services as well.
In all, the overwhelming themes of the 2013 Community Meeting were improved breach response, maintaining a forward-looking approach to threat deterrence, and improving buy-in from merchants and providers to continue building a more secure transaction infrastructure. And from the preview we received, the new DSS 3.0 standard certainly reflects this commitment.