There’s a common lament we all have, which is that there always seems to be more to do, and less time to do it. The difference for those responsible for complying with the Payment Card Industry Data Security Standard (PCI DSS) is that they now have a lot of evidence to point to. For those individuals, the introduction of the most recent PCI security standard, release 3.0, significantly upped the ante in terms of effort required.
While PCI DSS 3.0 took effect on January 2014, organizations can hold off on complying with the standard until January 2015. However, if that sounds like a long ways off, you haven’t read the standard.
- PCI 3.0 has 408 requirements—over 27% more rules than 2.0.
- 13% of the rules in version 2.0 changed substantially in this new standard.
- Compared to the effort required to comply with 2.0, it will require 188 additional work days to comply with 3.0.
PCI DSS 3.0: Key Points and Recommendations
Breaches of credit card data continue to happen on a massive scale. Since the huge Target breach was announced back in December 2013, Neiman Marcus, Michaels, Marriott Hotels, P.F. Chang’s, and, most recently, the Home Depot have been among the list of victims. Sadly, early indications are that the Home Depot breach may dwarf even that of Target’s.
The PCI Council changes are in an effort to adapt to the changing security landscape and the threats that continue to plague merchants. In response to these types of breaches, auditors and the PCI Council will place an increased emphasis on ensuring compliance with specific areas of the standard.
Revisions to the PCI DSS standard served to reinforce the criticality of robust encryption and key management. For example, the rule numbered 3.5.2 in the 2.0 standard was split into separate requirements in order to more clearly articulate that keys should be stored in a secure fashion, and in the fewest possible locations. The PCI Council also elaborated on the principles of split knowledge and dual control, helping underscore the criticality of instituting controls so no single administrator has privileged access to keys and encrypted data.
The Gartner report makes clear that the effort required to comply with PCI DSS has grown significantly, and security teams can safely anticipate that the scrutiny and workloads will continue to increase. To address these expanding demands, security teams will need to continue to optimize their operational efficiency whenever and wherever possible.
That’s why many organizations are increasingly leveraging a platform approach like Vormetric’s. With a comprehensive platform for data-at-rest encryption, security teams can employ one solution that can secure cardholder data, whether it resides in the physical data center, or in virtual, cloud, or big data environments.
By supporting both file-level and column-level encryption, the Vormetric platform offers implementation flexibility. The solution delivers strong separation of duties and secures sensitive data and keys throughout their lifecycle. With these capabilities, the Vormetric Data Security Platform has been proven to help customers not only pass PCI DSS audits, but most importantly, establish strong safeguards around stored cardholder data.
Download the Gartner report, “What’s Changing and How to Respond to PCI v3.0”, and get some insights into what’s new in the standard, and how your organization will need to respond. Check the following link to learn more about the Vormetric Data Security Platform [link].
Written by certified professionals at Coalfire®, this white paper goes through the PCI DSS 3.0 controls in great detail and describes how organizations can establish and sustain compliance in public cloud environments.
[Gartner, What’s Changing and How to Respond to PCI v3.0, Avivah Litan and Rajpreet Kaur, 20 August 2014.]