Are you ready for a February deadline for new Payment Card Industry data security standards?
February 1, 2018. That’s the day PCI DSS (Payment Card Industry Data Security Standards) will require your business to upgrade its security standards. Version 3.2 of PCI DSS changes previous “best practices” to stricter required business security standards.
Today I want to walk through what Philadelphia area businesses should be planning for in the coming weeks to prepare for the change to heightened data security standards if you rely at all on credit card processing.
Below are seven current best practices that will become security standard requirements beginning February 1st:
Requirement 3.5.1—how are you protecting your cardholder data? PCI DSS wants to know.
As part of the updated data security requirements, your business will need to provide documentation on the procedures you take to make sure credit card information is safe. Specifically, you will need to describe your methods, such as security architecture, any algorithms or encryption methods, protocols and security keys that you use in your IT Security to protect cardholder data.
Requirement 10.8—are you detecting and reporting any data breaches or security system failures? You now will need prompt detection and response to any form of data breach.
As part of the upgraded security standards outlined in Requirement 10.8, you will be expected to report any data security system failure or data breach in a timely manner.
You will also need to report any failures in your critical security control systems (if you aren’t sure what these are in your organizations, consider a 3rd party security assessment to better grasp what security controls are needed for PCI compliance).
As part of reporting any failures, you are expected to document a process for detecting failures, identify personnel on your team responsible for implementing your security process along with outlining alerting processes and procedures in the even your security process fails to protect cardholder data.
Requirement 10.8.1—Are you detecting and reporting security breaches fast enough?
Improved security standards outlined in Requirement 10.8.1 expect your business to timely report any critical security failures (again, consider a security assessment if you are unsure what critical security features you need for PCI). You will need to provide descriptions of your response process, including your security controls (for example: firewalls, monitoring, antivirus and audit logging).
Along with 10.8.1, you will have to describe your process of responding to security control failures and document the cause(s) and duration of a failure. PCI DSS will now require you to perform a security risk assessment to identify any on-going issues with your security process and take any additional actions needed to remediate security vulnerabilities, along with restoring and monitoring your existing security controls to prevent any further security failures.
Requirement 126.96.36.199—are you regularly monitoring and testing your network security?
The new requirement outlined in 188.8.131.52 will require mandatory penetration testing on your network every 6 months. Penetration testing is a way for security experts to evaluate how easy cybercriminals will be able to breach your network and access your protected data (in this case, cardholder data). Think of a penetration test as exhibiting how robust your security measures actually are.
Security experts often try to break through your firewall, phish employees to obtain critical information or passwords and decrypt or hack into areas on your network containing sensitive information (information that actually is worth big bucks on the Dark Web!) in order to see how vulnerable your business is to an attack. If someone attempting to penetrate your network actually is able to get through, PCI requires that the exposed vulnerabilities from the test be remediated.
By August 1, 2018, you will need to demonstrate your two most recent tests for 2018 to be in compliance with PCI DSS.
Requirement 12.4.1—are you maintaining your PCI DSS compliance?
Requirement 12.4.1 holds you accountable for maintaining PCI DSS compliance. To make sure that you have an appropriate PCI DSS compliance program in place, this new regulation will hold you accountable for actually complying to the regulations.
What does an appropriate compliance program look like?
Your PCI DSS compliance program should be equipped with an accountability chart that identifies every role in your organization you are holding accountable to fulfill security responsibilities.
Note: if you have reliable outsourced IT Support, your IT Support team will likely be named responsible for many of your compliance tasks, although you may still have someone on staff holding that team accountable (the person responsible for bridging your relationship with IT Support and your organization).
Security responsibilities outlined in your program should be communicated to your entire executive management team (a specific requirement of the new regulation).
Requirement 12.11—are your staff familiar with PCI DSS standards?
As part of the new Requirement 12.11, you are expected to review and confirm that all personnel are following PCI DSS security policies and procedures.
To make sure that your security policies and processes are taken seriously throughout your organization, PCI DSS requires confirmation from all personnel that everyone is abiding by your standard security procedures.
In fact, you will be required to periodically present information on security activities throughout the year to demonstrate that everyone is abiding by security standards. You may even have to present daily log reviews, firewall rule-set reviews, appropriate application configuration standards, responses to security alerts, or change management procedures to show an on-going effort to secure cardholder data.
Requirement 12.11.1—have you documented your quarterly review process?
As part of Requirement 12.11.1, PCI DSS requires you to document your quarterly review process. You are expected to document that you are undergoing quarterly reviews and archive all reviews in case you are audited.
Are you prepared for February 1st 2018?
There are a lot of changes popping up and many of them require tedious tracking and documentation? Is your business prepared for these changes? Do you even know which ones you will have to focus on? Will you meet the February 1st deadline?
Contact Us TODAY for a free network security assessment to understand where to prepare for your PCI compliance changes.