The PCI Security Standards Council has published a change highlights document for v3.0 expected in November 7th 2013.

According to the PCI SSC, these changes are intended to address the maturity of the industry since 2006.  Lack of education and awareness coupled with poor implementation and maintenance are leading causes of breaches today; this update is intended to target these challenges by providing guidance and clarification on the intent of requirements and how to meet them.

V3.0 will introduce more changes than v2.0 did. There are still 12 security areas, but the new versions of the data security standards will include several new sub-requirements. Recognizing this as a challenge, the SSC will identify some of the sub-requirements as best practice only until July 2015.  Additionally, v2.0 will remain active until December 31, 2014.

Per the PCI SSC, “this document is for advance informational purposes only and does not replace the current versions of PCI DSS and PA-DSS, the to-be-published detailed Summary of Changes, or Version 3.0 of the Standards.”  “These proposed updates are still under review by the PCI community. Final changes will be determined after the PCI Community Meetings and incorporated into the final versions of the PCI DSS and PA-DSS published in November.”

Visit the PCI SSC document library and obtain a copy of the change highlights for your review.

Contact HALOCK to discuss the upcoming changes and how you can prepare your organization for v3 compliance obligations.

Author: Viviana Wesley, PCI QSA

 

PCI DSS Requirements

PCI DSS Requirement 5.4.1: Anti-spoofing controls such as DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, Sender Policy Framework (SPF), and Domain Keys Identified Mail (DKIM) can help stop phishers from spoofing the entity’s domain and impersonating personnel. 

Clarification on eCommerce Outsourcing PCI DSS requirements 6.4.3 and 11.6.1

Unpacking the New PCI DSS Password Standards

Is Your Organization Prepared for PCI DSS Automation – Requirement 10.4.1.1?

What is the PCI DSS v4 Authenticated Scanning Mandate – Requirement 11.3.1.2?

What is the PCI DSS v4.0.1 Requirement for PoLP – Requirement 7.2.5?

PCI SSC Updates SAQ A: Removal of Key eCommerce Security and New Eligibility Criteria – Requirements 6.4.3, 11.6.1, 12.3.1

The New PCI DSS v4.0.1 Software Catalog Mandate – Requirement 6.3.2

How PCI DSS 4.0.1 Tackles Service Account Vulnerabilities – Requirements 8.6.1, 7.2.5.1, 8.6.2, 8.6.3, 10.2.1.2

Are You Keeping an Inventory of Cipher Suites and Certificates for the New PCI DSS – Requirements 12.3.3, 4.2.1.1?

How to Analyze An Attestation of Compliance (AOC)

PCI Compliance New Requirements and Targeted Risk Analysis (TRA)

 

RESOURCES & NEWS

Learn more about Penetration Testing and new exploits in HALOCK’s Exploit Insider.

The Dangers of Legacy Protocols

Exploiting API Endpoints

Abusing Default Credentials

Weaponizing Legacy Software

 

PCI Targeted Risk Analysis & DoCRA

https://www.halock.com/pci-compliance-new-requirements-and-targeted-risk-analysis/

 

HIPAA & Penetration Testing & Incident Response Plans

https://www.halock.com/are-you-ready-for-the-enhanced-hipaa-requirements-for-penetration-testing-and-more/

 

Top Threats in Healthcare

https://www.halock.com/top-cyber-threats-in-healthcare/

 

Cloud Security Risk Management

https://www.halock.com/prioritized-findings-and-remediation-in-cloud-security-reporting/

 

Penetration Testing Reports to Manage and Prioritize Risk

https://www.halock.com/a-threat-based-approach-to-penetration-test-reporting/