This year, organizations adhering to PCI DSS now must enforce new PCI DSS 3.0 requirements across their environments (five more exceptions will take effect in July 2015). Organizations can’t ignore a number of clarifications and evolving requirements outlined by the PCI Security Standards Council, some of which will benefit organizations and help them detect suspicious activity or anomalies that are out of character for what business rules call for. Here are some best practices to make sure your organization can successfully be PCI 3.0 compliant:
- Ongoing assessments Frequently review security controls such as access, separation of duties, configuration settings and log reviews to ensure they are appropriately set. Also review communications between business stakeholders and IT companywide to ensure that requirements are understood, in place and following secure processes. These reviews should take place at least once a year or when any major change in the environment happens, such as a migration or merger. Be sure to review hardware and software technologies at least once a year to make sure they continue to support PCI demands.
- Continuous change auditing and incident response plans
Revolving requirements include changes to identification and authentication mechanisms, including all changes, additions and deletions for new accounts and privileged accounts. Auditors will be looking closely at this section, given all the insider threats we’ve seen. It’s good practice to set a routine audit around user activity, system and network configurations, as well as audit logging. Once auditing is in place, you should be able to detect and respond to any incidents that fall outside of normal business rules. Have a solution that can simultaneously audit and alert. You also need to remediate any issues by restoring controls and proactively preventing them from changing going forward.
- Working relationships with third-party services providers
PCI DSS applies to third-party service providers if they store, process, transmit, and/or have access to cardholder data. If they’re responsible for managing customer environments, they also are impacted by PCI 3.0 and either must undergo an annual assessment and provide evidence to their customer, or will need to have their services reviewed annually when their customer is going through an audit. All parties should have documented evidence of who is responsible for covering certain policies and procedures. What often gets overlooked is the requirement that merchants and service providers must manage and audit PCI compliance of all third-party service providers with access to cardholder data. Now is a good time to review service provider contracts, as PCI 3.0 has new requirements, some which are effective now and others that will go into effect in July 2015.
The PCI requirements are clear – but they do take work to accomplish. These are just a sampling of best practices you can take to proactively achieve compliance. Business involvement should come from the top down, and make sure you know how to keep up with requirements and infrastructure so that you’re safe, and in business, for the long term.