Home > Security & Compliance > Preparing For PCI 3.0
Preparing For PCI 3.0
PCI compliance is the first step to robust business security.

Preparing For PCI 3.0

The new year is all about making resolutions. But for businesses, there’s one new year’s resolution that’s absolutely required: the shift to Version 3.0 of Payment Card Industry Data Security Standards. Come Jan. 1, 2015, merchants will have to adhere to a new and more rigorous set of industry standards as outlined by the Security Standards Council.

“Once the new year rolls around, every company out there will have to be in lockstep with PCI 3.0.”

The news about the move to PCI 3.0 has been around for a while, but with the holiday shopping rush as well as daily enterprise concerns, it’s understandable if some businesses out there haven’t closely examined the overall impact of PCI 3.0. Being unprepared simply won’t be an option. Here’s a look at how PCI 3.0 will differ from the previous version, and what you can do to ensure compliance.

Outlining The New Elements Of PCI

For every business, security threats have evolved significantly over the past year. Cybercriminals are more advanced, and their increasingly sophisticated attacks pose a significant challenge to security teams everywhere. Hacker success almost invariably points to a lack of preparedness on the part of the victim, and that’s something PCI 3.0 is attempting to address.

Before proposing PCI 3.0, the PCI Security Standards Council identified some key challenges that prevent enterprises from an effective security and compliance posture. The main challenges highlighted include malware detection, weak passwords and authentication controls, and a general lack of employee security education programs. Working off of these general lessons learned, the Standards Council generated new requirements for PCI. Here are a few of the most important ones (the full list can be read here):

  • “Have a current diagram that shows cardholder data flows.” A data flow diagram is an instrumental tool that shows how data flows within an enterprise’s cardholder environment. That diagram includes information that’s stored, processed or being transmitted. The data flow diagram helps businesses identify when information is potentially crossing vulnerable boundaries. The nice thing about a diagram is that it’s not complicated to make and maintain for most customers.
  • “Evaluate evolving malware threats for systems not commonly affected by malware.” Because cybercriminals are highly adaptable and always looking for new ways to dodge security measures, a central part of the new PCI standards involves making sure your company keeps abreast of the threat atmosphere and plans accordingly. For example, some companies use mainframes to store and process credit card data. There is no commercially available anti-malware software.  Therefore, the PCI standards council requires mainframe users to evaluate threats and develop and evaluate compensating controls regularly.
  • “Security considerations for authentication mechanisms such as physical security tokens, smart cards and certificates.” If you’re a business that relies on a resource like physical security tokens to validate peoples’ identity, then you’ll need to make sure they’re protected with the same attention that a password system would provide.
  • “Protect POS terminals and devices from tampering or substitution.” If a hacker is attempting to breach a merchant, one of the first places they’ll look is for weak physical security protecting POS terminals. By physically protecting and regularly inspecting POS terminals, you can prevent and detect this type of security issue.

A single vulnerable POS terminal could spell disaster for your business.

How You Can Guarantee Compliance

The biggest step your business can take to ensuring PCI 3.0 compliance is to pay careful attention to overall enterprise security. If your company has a mature, evolving security program in place, you will be better prepared for changes in PCI 3.0. Therefore, the first rule for meeting PCI is maintaining an adequate security program. As Joe Sturonas stated in a recent InformationWeek article, “Compliance should never be confused with security.” Instead, security is the first critical step to meeting your company’s compliance obligations. Here are a few ways to make sure you meet PCI’s new standards:

  • Prepare for evolution: The aim of the new standards is to challenge merchants to move beyond compliance and adopt a security posture that evolves over time. We have all learned the lesson that being compliant is not being secure. If your program approaches PCI as an annual scramble to pass an audit, your program will have difficulty evolving to combat new threats. Because the threat landscape is always growing, your security program needs to grow as well. If you don’t have a security program that adapts over time, you’ll fall behind and expose yourself to attack.
  • Read the changes carefully – as a company: Look over the changes to PCI and make sure you’re meeting each new provision. PCI is something that all employees of an organization should be tuned into. Ask yourself if your employees know what their role in protecting customer data is. If they can’t answer that question, you have work to do.
  • Pursue a PCI solution: Fortunately for you, your business doesn’t have to approach PCI compliance alone. By leveraging EarthLink’s PCI Compliance Solution, you can equip yourself with the tools you need to meet your security and compliance objectives.

About Peter Chronis

Pete is the EarthLink's information security and IT compliance leader. He has over 15-years of experience using technology to manage risk in the telecommunications, healthcare, retail, financial and IT services industries.