Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

8 things to know about PCI DSS 3.0

Version 3.0 of the Payment Card Industry Data Security Standard (PCI DSS) is due to be published on Nov. 7. 

That may send shivers down your spine, but the reality is, as technology advances and threats evolve, payment security requirements need tweaking.

First things first: Don't panic. Merchants won't have to start validating compliance with the updated standard until Jan. 1, 2015. However, if you're going to be ready by then, it's a wise idea to start getting a handle on the changes now.

While I love how PCI DSS has forced organizations to more aggressively consider data security as part of their day-to-day operations, I also recognize how the standard can sometimes be confusing and overwhelming - especially when there are changes. 

Our job at Trustwave is to make the transition to version 3.0 easier on you. That is why, based on conversations with and "Change Highlights" documentation provided by the PCI Security Standards Council, I complied eight of the most important changes (both general and more specific) that I expect we'll see in the forthcoming version.

Nothing, of course, is official until the updated standard is published, but I believe becoming familiar with these eight things will make your migration to PCI DSS 3.0 less stressful and more manageable.

1) PCI compliance is an everyday thing.

Organizations often struggle to maintain compliance obligations due to senior management wanting to keep these costs as low as possible. This results in a check-the-box mentality that focuses on achieving compliance only at a given point in time. The updated requirements are expected to introduce "business as usual" guidance, meaning senior management will be responsible for ensuring someone is maintaining PCI controls and obligations at all times.

2) Temporary employees need training as well.

Expect PCI DSS version 3.0 to extend security awareness training requirements to temporary workers, in addition to permanent staff. This will have a large impact on industries such as retail or where any temporary workforce interacts with systems that are connected to the cardholder data environment (CDE). Merchants tend to increase their temporary workforce at peak periods like Christmas and Easter. Plan accordingly.

3) The term "isolation" offers hope for reducing scope.

Due to industry challenges around the definition of a cardholder data environment (CDE), the standard's scoping guidance likely will be improved and tightened. By the requirements emphasizing the word "isolation," qualified security assessors (QSAs) will be able to provide the required level of guidance when defining a CDE.  In addition, I believe there will be a requirement to provide assurance of isolation of the CDE in version 3.0 audits. This will require a penetration test of the complete CDE boundary and will include security systems and devices that live outside of the CDE network boundary.

4) Get to know your service provider.

One of the current challenges with merchants outsourcing their payment systems is the lack of contractual terms that clearly cover responsibility and liability of data during the engagement. The new version of the PCI DSS will likely include language that all new contracts must clearly state that the service provider understands their responsibility for card data when it is in their possession. They will also have to affirm that they are responsible for maintaining compliance to PCI DSS standards for the term of the contract.

The protection of data is the goal of PCI DSS, but encryption can only take you so far. Your data is only protected if you are protecting the encryption keys in the required manner. There are many different industry standards, including NIST, PCI-PTS, SANS, which you can use to ensure you are safeguarding and managing encryption keys in the required manner. Expect the updated standard to tighten the rules around key management.

6) If you outsource e-commerce payment processing, you still need to do PCI.

Currently an e-commerce website that redirects a customer's computer to a third-party service provider for payment processing is not within scope of a PCI assessment. This is because the website itself does not store, process or transmit card data. But criminals still can compromise these sites and instruct the victim's computer to send payment data to them, as well as the third-party provider. As a result, 3.0 is expected to bring these sites into scope as well, meaning these e-commerce merchants will be required to implement security controls on all of their web servers.

7) Service providers must use unique access credentials for each customer.

Service providers that have access into their customer's cardholder data environment (CDE) traditionally have not applied and used unique credentials to support and access these environments. As a result, if a cybercriminal hacks a service provider, they can search the compromised website for known customers or scan blocks of the internet to look for similar remote access markers. Crooks want the biggest payoff for the least amount of effort. Expect version 3.0 to ensure service providers are using unique credentials for each customer they serve.

8) Penetration testing becomes even more important.

Pen testing provides assurance that networks are secure, in addition to the applications and the data contained within them. The next version of PCI DSS should greatly improve the quality of the pen testing that is required to be performed. As it stands now, the internal pen testing that is required does not need to follow an industry methodology, such as NIST, OWASP, etc., and the person carrying out the test is not required to be industry certified and have the correct level of independence. That will change. In addition, the cardholder data environment (CDE) will be required to be pen tested.

Michael Aminzade is director of compliance delivery - EMEA/APAC - at Trustwave.

Latest Trustwave Blogs

Trustwave Named in 2024 Gartner® Market Guide for Managed Detection and Response (MDR)

For the second consecutive year, Trustwave has been named a Representative Vendor in the 2024 Gartner® Market Guide for Managed Detection and Response.

Read More

6 Steps on How to Respond to a Data Breach Before it Ruins Your Business

Too many consumers have awoken one morning to find messages from a retailer or their bank detailing purchases made through their account of which they were unaware. While the realization that they...

Read More

Understanding the Impact of AI on Data Privacy

The world is just beginning to understand how the intersection of artificial intelligence (AI) and data privacy will impact organizations, their employees, and those who use their services. As of...

Read More