This year, organizations adhering to PCI DSS now must enforce new PCI DSS 3.0 requirements across their environments (five more exceptions will take effect in July 2015). Organizations can\u2019t ignore a number of clarifications and evolving requirements outlined by the PCI Security Standards Council, some of which will benefit organizations and help them detect suspicious activity or anomalies that are out of character for what business rules call for. Here are some best practices to make sure your organization can successfully be PCI 3.0 compliant:\n\nOngoing assessments Frequently review security controls such as access, separation of duties, configuration settings and log reviews to ensure they are appropriately set. Also review communications between business stakeholders and IT companywide to ensure that requirements are understood, in place and following secure processes. These reviews should take place at least once a year or when any major change in the environment happens, such as a migration or merger. Be sure to review hardware and software technologies at least once a year to make sure they continue to support PCI demands.\n\nContinuous change auditing and incident response plansRevolving requirements include changes to identification and authentication mechanisms, including all changes, additions and deletions for new accounts and privileged accounts. Auditors will be looking closely at this section, given all the insider threats we\u2019ve seen. It\u2019s good practice to set a routine audit around user activity, system and network configurations, as well as audit logging. Once auditing is in place, you should be able to detect and respond to any incidents that fall outside of normal business rules. Have a solution that can simultaneously audit and alert. You also need to remediate any issues by restoring controls and proactively preventing them from changing going forward.\n\nWorking relationships with third-party services providersPCI DSS applies to third-party service providers if they store, process, transmit, and\/or have access to cardholder data. If they\u2019re responsible for managing customer environments, they also are impacted by PCI 3.0 and either must undergo an annual assessment and provide evidence to their customer, or will need to have their services reviewed annually when their customer is going through an audit. All parties should have documented evidence of who is responsible for covering certain policies and procedures. What often gets overlooked is the requirement that merchants and service providers must manage and audit PCI compliance of all third-party service providers with access to cardholder data. Now is a good time to review service provider contracts, as PCI 3.0 has new requirements, some which are effective now and others that will go into effect in July 2015.\n\nThe PCI requirements are clear \u2013 but they do take work to accomplish. These are just a sampling of best practices you can take to proactively achieve compliance. Business involvement should come from the top down, and make sure you know how to keep up with requirements and infrastructure so that you\u2019re safe, and in business, for the long term.