Home   About Us    Services and Products   Support   Contact Us

Overview

What Customers Say About Us

Blog

Services

Partners

Contact Information

What Customers Say About Us

"IT Professional Services is the best!  Your monitoring system picked up a loss of connectivity to our school's office and you replaced the bad fiber optic module on a Sunday evening so that we were up and running on Monday morning!  Thank you for your excellent service!"

Nancy Baker, Principal
Ventura Missionary School

More what customers say

Stay Connected with ITPS

Now you can network socially with the ITPS on LinkedIn, Facebook and Twitter. Just follow the links and join us.

LinkedIn Facebook Twitter

Contact us

IT Professional Services, LLC
9452 Telephone Rd #183
Ventura, CA 93004-2600

tel. (805) 650-6030
fax (805) 650-1835

more

PCI-DSS v3.0 Standard Published
11/07/2013

Today the Payment Card Industry (PCI) Security Standards Council (PCI SSC) published updated payment security standards PCI Data Security Standard (PCI-DSS) version 3.0.

It comes with new security requirements and guidance that aim to make electronic payment infrastructure more secure.  It places renewed emphasis on education, awareness, continued security monitoring and clarifies the rules that merchants will need to comply with to be PCI-certified.

New Guidelines

This version includes a number of additions and clarifications to current requirements, general guidance that affects several requirements or the overall PCI compliance process, and some significant new requirements.  The new standards focus on making payment security part of organizations and professionals “business-as-usual activities.”  Version 3.0 of the standards supports an underlying theme of education and awareness.

Ten new requirements have been introduced in PCI-DSS v3.0, including rules for assessing malware threats and for requiring service providers with remote access to card data to have unique authentication credentials.  Standards for managing employees' physical access to financial information were also added.

Proper Malware Detection

One of the requirements that merchants will need to comply with in 2013 is to have proper malware detection.  A requirement has been added to make sure that merchants and anyone handling payment card data have a good risk management process in place for handling malware.

The new requirement recognizes that threats are likely to evolve, especially on systems not commonly affected by malware, and merchants need to be diligent.

Passwords

The new version 3.0 standard has an emphasis on providing more flexibility for security controls to be met in different and evolving ways, and that includes password complexity.

Previously PCI required passwords to be a seven-character or greater, alpha-numeric combination.  The new version recognizes that there might now be other means to have an equivalent type of value in the integrity of the authentication, so it might not just be a password.

The emphasis on password security is one of the most important changes in PCI DSS 3.0 because weak passwords have been a primary cause of numerous card data breaches.

Penetration Testing

If segmentation is used to isolate the cardholder data environment from other networks, penetration tests must now verify that the segmentation methods are operational and effective.  The intent is for merchants to conduct their own vulnerability assessments in addition to the existing mandated quarterly assessments by an approved scanning vendor.

Additional Requirements

Other new requirements include:

  • Service providers with remote access to customer premises must use unique authentication credentials for each customer
  • Where other authentication mechanisms are used, these must be linked to an individual account and ensure only the intended user can gain access
  • Physical access to sensitive areas for onsite personnel must include a process to authorize access, and revoke access immediately upon termination
  • Devices that capture payment card data via direct physical interaction with the card must be protected from tampering and substitution
  • Implement a methodology for penetration testing; if segmentation is used to isolate the cardholder data environment from other networks, perform penetration tests to verify that the segmentation methods are operational and effective
  • Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity
Deadline

Merchants have until January 1, 2014 before the requirements become effective. In addition a number of new requirements will remain best practices until July 1, 2015.

One of the new best practices that will not be required until 2015 is a need for agreements between merchants and third-party service providers about the responsibilities of protecting cardholder data.

Help with PCI-DSS Compliance

Do you need to have a risk assessment to see what you need to do to be compliant with PCI-DSS v3.0?  Do you need a proper malware risk management process?  Do you need continual security monitoring?  Do you need to perform internal penetration testing?  No worries—we’re here to help.

More Information

You can can access the standards and detailed summary of changes from version 2.0 to version 3.0 at the PCI SSC website.

Professional Services

If you need assistance with a risk assessment, a risk management process, security monitoring, or penetration testing, IT Professional Services can help. Please contact us.

Privacy Policy

© 2009-2013 IT Professional Services All rights are reserved.  (805) 650-6030