Reminder: Compliance with the PCI DSS 3.0 Mandatory Beginning on January 1st

Published On December 22, 2014 | By Roshni Patel | Data Security, General
TwitterLinkedInFacebookRedditCopy LinkEmailPrint

With the New Year just around the corner, we’d like to remind merchants of the January 1st deadline to implement version 3.0 of the PCI Data Security Standard (PCI DSS). The changes in version 3.0 fall under three categories—clarifications, additional guidance, and changes to keep the standards current with emerging threats and changes in the market. Although version 3.0 took effect on January 1, 2014, merchants were given a year to bring their payment practices into compliance before Reports on Compliance or Self-Assessment Questionnaires must be completed under the new version.

Among version 3.0’s new requirements is the expansion of Requirement 1.1.2. In version 2.0, Requirement 1.1.2 required companies to maintain a current network diagram with all connections to cardholder data. Version 3.0 clarifies what the network diagram must include and added Requirement 1.1.3, which mandates that companies specifically map all cardholder data flows across systems and networks. Requirement 2.4 mandates companies inventory all system components within the scope of PCI DSS to support development of configuration standards. Requirement 9.3 instructs companies to grant onsite personnel physical access to sensitive areas only if access is necessary for their job function and to terminate access when it is no longer needed. Additionally, a number of requirements have been enhanced in version 3.0. Requirement 10.2.5, which requires automated audit trails for tracking use of identification and authentication methods, has been modified to also require automated auditing of changes to identification and authentication methods and all changes, additions, or deletions to root or administrative accounts.

A handful of requirements will not be mandatory until July 2015. Among these is Requirement 9.9, which requires companies to protect swipe devices that capture payment card data via direct physical interaction with the card from tampering and substitution. This is responding to the many skimming attacks that have become more prevalent in the past few years.

You can find the complete list of changes on the PCI Security Standards Council’s website, here. As always, ZwillGen attorneys are available to assist with your compliance needs.

Photo by Mike Mozart from Flickr

About The Author

Roshni works with ZwillGen attorneys on data privacy and security matters, regulatory compliance, developing internal privacy policies and procedures, and product counselling. Prior to joining ZwillGen, Roshni was a Privacy Fellow at the Wikimedia Foundation where she worked on domestic and international privacy issues involving internet technologies.