While new versions of the PCI DSS are introduced, these are done after a feedback from the industry regarding methods to improve the payment security, global applicability as well as cost and benefit of any changes in infrastructure. Changes in PCI Standards framework reflect the growing maturity of the payment security industry and its strength in protecting card holder data. Even as the version 3 of PCI DSS introduces changes than its previous versions, the core 12 security areas remain the same. Nevertheless, in a business environment that provides cyber attackers number of loopholes, enterprises are challenged to ensure protection of card holder data.

Since the PCI DSS applies to all stakeholders involved in payment card processing, PCI-DSS compliance management is a sensitive affair. Across industries, inconsistent encryption and malicious hackers accessing the credit card data resulted in huge financial losses and brand-image exposure! Though enterprises were compliant to Sarbanes-Oxley and HIPAA Act, their controls were not adequate to meet the PCI DSS requirements. Enterprises therefore took advantage of automated processes for monitoring of security vulnerabilities, mapping security controls and initiating re-mediation actions to help business enterprises meet compliance requirements.

However, even as PCI DSS 3.0 moves towards its implementation stages, not all merchants are completely aware of the three critical changes and their need in the payment card processing system. The version 3 of the security standards includes changes from the previous version which are nothing but simple clarifications on the scope and segmentation, responsibilities of merchants and service providers. While this will greatly impact the merchants, this will also prevent tampering and skimming at any point of sale. Even as enterprises conduct vulnerability scans on handful of credit cards and debit cards, as per the version 3 of PCI DSS, compliance is required across all systems that handle card data, unrelated systems connected to the same network as well as authentication servers, firewalls and web redirection servers.

Further, even as PCI encourages network segmentation through the use of firewalls, the new version 3 expects enterprises to make use of network penetration tests that will help validate the segmentation methods as operational and effective by July 2015. After the aftermath of target point-of-sale breach, the PCI DSS version 3 requires both merchants and service providers to formally document the responsibility of PCI requirements. Moreover with rising cases of tampering with physical-point-of-sales devices, the new PCI requirement (9.9) calls for an inventory of devices and regular inspections to detect tampering. Hence, effective the January 2015 deadline, merchants need to understand the scope and segmentation required for PCI DSS compliance and work with service providers to define responsibilities and potentially alter contracts, and implement controls for preventing tampering and skimming of the point-of-sale devices. The January 2015 deadline for assessing version 3.0 is around the corner although some of these requirements do not go into effect until July 2015. The PCI DSS requirements will be validated during the first SAQ or QSA assessment in 2015. It is best to start addressing the necessary changes immediately.

In summary, in PCI DSS v3.0 three critical changes include the scope definition and segmentation, service providers’ responsibilities and the need to alter contracts, and controls to be implemented for preventing tampering and skimming at the point-of-sale devices.

Aegify SecureGRC now has in suite of ready-to-use compliance frameworks, the latest PCI DSS V 3.0 controls for checking the compliance status of merchants quickly and easily taking away the complexities of the controls mandated for compliance for the merchants and their service providers. Get to quickly know how compliant you are to the PCI DSS v3.0 by running the Aegify SecureGRC from the cloud.

The post Understand the Critical Changes to PCI DSS 3.0 that you as a Merchant must know appeared first on Aegify.

Coming to effect from July 1st 2010, this new standard would mean that SMBs now have a mandate to build secure networks aimed at protecting cardholder information. It prohibits third-party payment software from storing authentication details like the cardholder PIN and Magnetic Stripe. Read more on this in Visa Puts Credit Security on You.

While that is for SMBs, larger enterprises are required to comply with the full version of PCI DSS standard by 30th September. The new standard would now control how cardholder data is stored, processed or transmitted.

With these new requirements, GRC solutions have gained more significance. By using SecureGRC^TM, a GRC platform that integrates with the business process, companies can now successfully deal with compliance and risk management.

The post New Security Standard for SMBs to Protect Cardholder Information appeared first on Aegify.