The deadline (January 1, 2015!) for PCI DSS 3.0 compliance is quickly approaching. Some of our PCI experts addressed this head on in a recent webcast, “PCI DSS 3.0: Are you Ready for January?”. Derek Kolakowski, Brian Tant, and ncrampton discussed what it will take for security professionals to get over the finish line and achieve 3.0 compliance, and to be secure and ready when auditors come a'calling. Read on for the top takeaways from this discussion:
- Know Who Owns What – Not only is this important for your internal planning and implementation, but it is actually one of the new requirements in 3.0 compared to 2.0 standards. The new requirement - 12.8.5 - says to maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by your own organization. This is a particularly important one to follow since so many of the recent major breaches have been a result of weak security on the part of 3rd parties working with the compromised organization.
- Continuously Review & Update your Plan – It's important to keep revisiting your plan to achieve 3.0 compliance to make sure you are on task, and that your plans continue to make sense for your environment. Information discovered during implementation of an initial action plan can cause the best laid plans to no longer make sense and need updating along the way. Your plan should be a living document that is constantly refined to reflect your current environment.
- The Goal: Compliance 24x7x365 – One thing our speakers emphasized is that the concept of compliance shouldn't be looked at as just boxes to check so auditors are satisfied and go away. PCI DSS 3.0 compliance should be thought of as an ongoing process, with plans for continual upkeep. The requirements were developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. Compliance is of course not the only thing needed to be secure, but it's an essential piece for many security programs.
For a more in-depth discussion of the major changes from 2.0 to 3.0, and final steps to take before January 1st, view the on demand webcast now.
You can also check out our entire library of PCI DSS 3.0 readiness resources here: https://www.rapid7.com/pci.