Any important events coming up?
Just got through the New Year. Check. (Happy New Year by the way!)
Ready for an exciting 2018. Check.
Looking forward to a LOT more sales next year?
Are you ready for the deadline to the Payment Card Industry Data Security Standard (PCI DSS)?
On February 1, 2018, version 3.2 of the PCI DSS best practices will no longer be just “best practices”.
PCI DSS is transitioning their recommendations to requirements! What at one time were considered practices that organizations should consider implementing as soon as possible will be the next thing your business will want to be implementing if you rely on credit card processing.
Today I want to focus on the major PCI DSS requirements and the changing regulations (forcing best practices into mandatory requirements of your business security).
Requirement 6.4.6—all PCI DSS requirements must be implemented on new and changing systems on your network, and documentation should be updated accordingly. This new requirement ensures that all necessary security is in place to protect cardholder data and that management procedures are being followed.
Requirement 8.3.1—two factor authentication for administrative access to cardholder data environment. To access your cardholder data as an administrator, you will now be required to present an additional means to verify who you are outside of your password. This may be a fingerprint, smart card, or text verification to confirm who you are and avoid hacked passwords being used to directly and easily access your cardholder information. With two-factor authentication, you reduce the risk that your data will be compromised in the event that something were to happen to a password.
Below are the seven additional best practice sub-requirements taking effect February 1st:
Requirement 3.5.1— documentation on how you protect your cardholder data. You will be required to describe the methods—security architecture, algorithms, protocols and keys—used to protect your cardholder data.
Requirement 10.8—timely detection and reporting of security system failures. As part of the new requirements, you are expected to timely detect and report any failures in your critical security control system. This will include documentation for the process of detecting failures, identifying responsible personnel for implementing your process and associated alerting processes and procedures.
Requirement 10.8.1—timely response to any failures. PCI DSS will expect you to have timely response to any critical security failures, with a list of your security controls, such as firewalls, file monitory, antivirus, or audit logging. You will need to provide descriptions of your processes for responding to specific security control failures by identifying and documenting the cause and duration of the failure, performing a risk assessment to identify any further action needed to be taken and implementing additional security controls as well as restoring security functions and monitoring after a failure.
Requirement 11.3.4.1—mandatory penetration testing on your network at least every 6 months. In addition to having controls in place, you will be required to perform penetration testing on your security controls at least once every 6 months. By August 1, 2018 you will be required to demonstrate two of your most recent tests for 2018. Penetration tests are one way of showing the robustness of your security controls. If someone attempting to penetrate your network gets through, this exposes vulnerabilities/ failures in your network security that should be remediated.
Requirement 12.4.1—you have accountability for maintaining PCI DSS compliance. This requirement makes sure that you have a PCI DSS compliance program with an accountability chart identifying roles held accountable for fulfilling security responsibilities. These security responsibilities are expected to be communicated to your executive management team.
Requirement 12.11—quarterly reviews to confirm personnel are following security policies and standard security procedures. To make sure you are taking security seriously and implementing practices in your standard business processes, PCI DSS requires confirmation that personnel abide by standard security procedures. Specifically, you will be required to present information that periodic security activities are in fact being done throughout the year (for example, daily log reviews, firewall rule-set reviews, application configuration standards, response to security alerts, and change management procedures).
Requirement 12.11.1—mandatory documentation of a quarterly review process. You are required to explicitly document that you are undergoing quarterly reviews and that these reviews are archived for audit upon request.
The bottom line: there are a lot of new security requirements popping up in 2018. Do you even know which ones you will need to tackle? Will you meet the February 1st deadline?
Contact Us TODAY for a free network security roadmap meeting.
