November 07, 2014, PCI-DSS 3.0 has been released. The PCI-DSS is a list of standards that are revised every 3 years and are instilled by the PCI-SSC to insure card information data security.
The new revisions will be in effect starting January 1, 2014, while PCI-DSS 2.0 will remain in effect until the end of 2014 to allow corporations time to regulate themselves to the new requirements.
The main revisions of the new requirements are mostly on implementing PCI-DSS in the workplace as everyday business and the importance of employee training.
Here is a list of the new requirements.
- Req. 5.1.2 - evaluate evolving malware threats for any systems not considered to be commonly affected
- Req. 8.2.3 - combined minimum password complexity and strength requirements into one, and increased flexibility for alternatives
- Req. 8.5.1 - for service providers with remote access to customer premises, use unique authentication credentials for each customer
- Req. 8.6 - where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.) these must be linked to an individual account and ensure only the intended user can gain access
- Req. 9.3 - control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination
- Req. 9.9 - protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution
- Req. 11.3 and 11.3.4 - implement a methodology for penetration testing; if segmentation is used to isolate the cardholder data environment from other networks, perform penetration tests to verify that the segmentation methods are operational and effective
- Req. 11.5.1 - implement a process to respond to an alerts generated by the change-detection mechanism
- Req. 12.8.5 - maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity
- Req. 12.9 - for service providers, provide the written, agreement/acknowledgment to their customers as specified at requirement 12.8.2