The Payment Card Industry Data Security Standard (PCI DSS) version 3.0 goes into effect as of January 1, 2015, and as typical with any new standard, many companies are behind in preparing for their 2015 audit requirements.
While the PCI community grumbles about timelines and definitions—what is meant by “periodic” inspections, or “significant” changes to the network?—several Qualified Security Assessors (QSAs) also note the onboarding process for many businesses has been less than seamless. Most businesses are doing what they can, yet are still relying on their e-Commerce provider or QSA.
One major analyst organization indicated the new standard will introduce more than 30 percent change in the requirements, including a minimum of nearly 200 hours of extra time for an average of 200 systems “in-scope.”
This means that if only one person were focused on the process per day, they should have begun implementing the changes in June of 2014. Of course, it depends on the organization but this suggestion may be underweight regarding actual time needed for most companies.
The PCI 3.0 standard has a number of changes that will take much longer than most organizations realize, said Jeff Hall, Fishnet Security QSA. After consulting with a number of firms of all sizes readying for the new audit requirements, Hall said most organizations are simply behind.“We’re already seeing that it’s crunch time for many organizations. What they often don’t realize is how much time and resources will be dedicated to areas they should’ve been working on all throughout 2014. And as they address one new requirement, several other areas open up that require attention and time.”
Hall notes key areas of concern, including:
- PCI 1.1.2 & 1.1.3 – Network network diagram and cardholder data flow
- PCI 11.3.4 – Network segmentation testing, and providing evidence that the segmentation protects the cardholder data environment (CDE)
- PCI 11.1.1 – Inventorying all their wireless devices – not just those in scope
- PCI 2.4 – Inventory of all in-scope assets as well as all components, ports, services and protocols on any in-scope system
- PCI 7.1.1 – Access roles and business justification for that access
- PCI 11.3 – Penetration testing (although not a best practice until July 2015, a head start would be smart)
Many of these requirements will need dedicated cross-organizational teams with clear ownership and participation. In addition, the implementation will not be nearly as easy as past years to exclude systems from being in-scope.
Further, Hall believes the new standard will require QSAs to be far more thorough than previously required in past audit work. The new standard will require a great deal more validation, sampling, observation and documentation.
So, if your organization feels it’s behind the curve and your audit schedule is earlier in 2015 than you wished, you may want to consider guidance from the PCI Security Standards Council (PCI SSC) in their PCI DSS Prioritized Approach for PCI DSS 3.0.
Additionally, you can watch Tripwire’s webinar with Jeff Hall, where he shares the biggest “gotchas” that he’s encountered while working with clients on PCI 3.0.