Tactical Advice

Follow the Path Toward PCI DSS 3.0 Compliance

How can businesses ensure they stay on right side of the latest version of the payment card security standards?
Follow the Path Toward PCI DSS 3.0 Compliance
Credit: Fuse/ThinkStockPhotos

The PCI Security Standards Council recently unveiled the long-awaited version 3.0 of the Payment Card Industry Data Security Standard (PCI DSS). Retailers, service providers and other organizations involved in credit card processing have until January 2015 to comply with the new standard. There’s a lot to do.

How should an organization get started? The best approach is to prioritize the changes based on the date they become effective for your credit card processing activities.

The good news is that, although PCI DSS 3.0 went into effect on January 1, 2014, merchants have a one-year grace period to adapt to the new standard. In the interim, they may choose to recertify under either the PCI DSS 2.0 or 3.0 standard. In addition, implementation deadlines for a handful of requirements are further delayed until July 1, 2015.

Step 1: Thoroughly Review the Standard

As the first step in preparing to comply with PCI DSS 3.0, thoroughly read the new standard. The PCI DSS 3.0 Summary of Changes prepared by the PCI Security Standards Council can help guide your review. While the summary of changes runs 12 pages, you’ll be relieved to find that the vast majority of those changes are classified as “Clarification” or “Additional Guidance” updates that simply correct ambiguous wording. Review each of these changes, but chances are they will not significantly impact your PCI DSS compliance program.

The significant items to watch out for are those labeled “Evolving Requirement.” In these cases, the PCI SSC has made significant changes to the standard. Think of it as a euphemism for “new work.” Work your way through each of the changes identified in the document and determine what actions, if any, will be required to bring your cardholder data environment into compliance with the new standard.

Step 2: Implement the First Wave of Changes

Once you’ve reviewed the standard and outlined your work plan, start implementing any required changes. The good news is that you have until the end of 2014 to implement these changes, so an early start will give you plenty of time to evolve gradually. Some of what you must cover in this first wave include:

  • Developing a diagram of all cardholder data flows and updating your network diagram to meet the requirements of sections 1.1.2 and 1.1.3.
  • Creating an inventory of in-scope system components, as required by the new section 2.4.
  • Ensuring that antivirus software can’t be disabled by end users, as required by the new section 5.3.
  • Conducting risk assessments for platforms not commonly affected by malware, in compliance with section 5.1.2.
  • Ensuring that your password requirements meet the revised complexity standards of section 8.2.3.
  • Updating the use of non-password authentication mechanisms to ensure they are linked to individual accounts, in compliance with section 8.6.
  • Evaluating whether physical security access procedures comply with section 9.3.
  • Ensuring that audit trails capture changes to identification and authentication mechanisms, modifications to administrative accounts, and starting or stopping the audit log, in compliance with the updates to section 10.2.
  • Maintain an inventory of wireless access points and ensure that incident response procedures are triggered when unauthorized APs are detected, per section 11.1.

Tailor your organization’s 2014 action plan to meet the specific operational needs of your credit card processing environment.

Step 3: Prepare for 2015

Once you’ve tackled the first wave of changes, turn your attention to the four requirements that have the deferred implementation deadline of July 1, 2015. These four requirements include:

  • Section 6.5.11 requires updating software development practices to protect against broken authentication and session management.
  • Section 8.5.1 mandates that service providers working with multiple merchants have unique access credentials for each customer.
  • Section 9.9 institutes new control requirements around physical access to point of sale terminals.
  • Section 11.3 hardens requirements for penetration tests, mandating the use of a comprehensive methodology that meets detailed PCI DSS requirements.

While any major update to a compliance standard can be a disruptive event for an organization, there’s no need to panic with the release of PCI DSS 3.0. The majority of the changes in this version simply clarify existing requirements.

For those requirements likely to require change, the standard provides plenty of time, with the first deadline at the end of this year and the second even farther out in July 2015. If you start now, you should have enough time to ensure continued compliance.

Sign up for our e-newsletter

About the Author

Mike Chapple

Mike Chapple is an IT professional and assistant professor of computer applications at the University of Notre Dame. He is a frequent contributor to BizTech magazine, SearchSecurity and About.com as well as the author of over a dozen books including the CISSP Study Guide, Information Security Illuminated and SQL Server 2008 for Dummies.


Heartbleed: What Should Your... |
One of the biggest security vulnerabilities has almost every user and every industry...
Why Businesses Need a Next-G... |
Devices investigate patterns that could indicate malicious activity.
Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....


The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Businesses Must Step Careful... |
Slow and steady wins the race as businesses migrate IT operations to service providers,...
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...


Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Mobility: A Foundational Pie... |
Other technologies rely on mobile computing, which has the power to change lives, Lextech...
Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.

Hardware & Software

Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....
New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.