No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

New PCI DSS Goes Beyond Compliance

by Warren W. Stippich
March 7, 2014
in Compliance

As we hear about some of the biggest security breaches in retail history, it seems like good timing that the Payment Card Industry Data Security Standard (PCI DSS) has been updated. The new version became effective January 1, 2014, and all validation efforts for compliance must follow the new standard beginning January 1, 2015. This latest release is part of the Security Standards Council’s continuous improvement cycle to see that it adequately addresses changing security risks. The council also makes updates to provide operational best practices. Version 3.0 takes a step in the direction of embedding security practices into business operations so that it is more than just an exercise in compliance. And with good reason: in today’s data-driven environment, cybersecurity is part of running a successful business. Not only are you protecting against your own risks of fines, losses and reputational hits, you’ll protect and attract customers.

With the new release come five significant changes:

1. Recommendations on making PCI DSS “business as usual”  

The new section entitled “Best Practices for Implementing PCI DSS into Business-as-Usual Processes” provides guidance for maintaining compliance throughout the year. The council has recognized that some organizations have treated compliance as a point-in-time effort. The companies have not taken proper diligence to ensure that controls continue to operate or have not considered the impact of organizational or infrastructure changes on compliance.

The Attestation of Compliance that the merchants sign states, “The merchant has read the PCI DSS and recognizes that they must maintain full PCI DSS compliance at all times.” With the inclusion of this guidance, the council is emphasizing that compliance efforts should be ongoing. They don’t want companies to focus on compliance only around their compliance validation deadline, then have the attention wane the rest of the year. The council wants compliance to be continuous. A few recommendations include:

  • Monitor controls to ensure that they are functioning properly; detect and respond to control failures in a timely manner
  • Review organizational and IT infrastructure changes from a PCI DSS compliance perspective prior to the change being approved and implemented
  • Perform periodic reviews to determine if controls continue to operate and processes continue to be followed

2. Clarification on responsibilities of service providers and their customers  

Whether you are a merchant or service provider, you will need to clearly delineate roles and responsibilities regarding PCI DSS requirements so there is proper coverage and validation. Version 3.0 requires that the roles be defined and documented. Each relationship will need to be addressed on a case-by-case basis since there isn’t a standard way to set up roles. It will be based on the services provided, and the service providers and their customers will set up a scope of validation for auditing.

The clarification of roles will help both merchants and service providers understand their part in the compliance process, take ownership of those responsibilities and ideally be vigilant in maintaining year-round compliance and monitoring their controls.

3. Increased flexibility around password strength

For companies with environments that do not support the specific password composition controls – such as some mainframe or mid-range systems – you’ll need to explore the built-in flexibility to meet the requirements. In the previous version, there were requirements around password strength and complexity that some organizations with older systems couldn’t meet. The council recognizes there are alternative ways to achieve the same effective password strength and wants to accommodate these systems. Organizations now have options to achieve “equivalent strength” through a concept called “password entropy” that makes it more difficult to guess passwords.[1]

4. Requirements for point-of-sale (POS) security

To address the growing number of physical attacks on POS systems, the PCI DSS has incorporated a new requirement to protect devices that capture payment card data via direct physical interaction with the card. This requirement should instill the best practice of inventorying and routinely inspecting POS devices and assessing which devices may be more at risk for tampering (unattended versus attended).

Merchants will be required to have policies and procedures to:

  • maintain a list of devices,
  • periodically inspect devices to look for tampering or substitution and
  • train personnel to be aware of suspicious behavior and report tampering or substitution of devices.

For companies in the retail industry, the POS system security and physical inspection may be particularly burdensome. Depending on your organization’s size, number of locations, current process for POS system inventory and available resources, this requirement could be a major undertaking. The good news is that while version 3.0 goes into effect January 1, 2015, the POS security requirement start date is June 30, 2015.

5. Considerations for handling cardholder data in memory

Companies that internally develop payment applications will need to update software development policies, procedures and training to minimize the exposure of cardholder data while in memory. This requirement is designed to protect against memory-scraping malware being installed that can pull cardholder data from memory. Organizations will need to modify their development processes to address the risk of data exposure through this threat. This applies only to applications developed in house; the Payment Application Data Security Standard addresses this risk for commercial payment applications.[2]

Changing the culture

For an easier transition to version 3.0, we recommend first performing a readiness assessment against the new standard and contact your Qualified Security Assessor if you use one. If this is an internal effort, it’s important that you start early so you have ample time to get your arms around the project. Then you’ll need to identify gaps to be addressed prior to the new standard being required and develop a compliance roadmap. Take into account all factors: company size, compliance approach, number of service providers, state of passwords, industry, retail presence/POS devices, etc. Leverage the PCI DSS Prioritized Approach if possible, which ranks the requirements based on their risk-reduction impact.

The transition may be a cultural change. The goal isn’t simply to verify that specific security technologies are in place, but to emphasize the importance of cardholder data protection and risk management. It’s best to view version 3.0 as not just another compliance mandate, but a driver to make cybersecurity a part of the operational process and a way to effectively run a business.


[1] The standard references National Institute of Standards and Technology Special Publication (NIST SP) 800-63-1, Electronic Authentication Guideline.

[2] See more information at www.pcisecuritystandards.org.


Previous Post

And the Survey Says…

Next Post

The SEC’s Financial Fraud and Accounting Task Force

Warren W. Stippich

Warren W. Stippich

warren stippich grant thornton Warren is the National Governance, Risk and Compliance Solution Leader and the Market Leader of the Chicago Business Advisory Services Group at Grant Thornton LLP. He has over 20 years experience working with multi-national, entrepreneurial, and high-growth public companies, including boards of directors and audit committees. Warren brings experience to the business risk consulting and internal audit services areas from both the public accounting firm and industry perspectives. He leads many Sarbanes-Oxley consulting, internal audit services and SAS 70 projects for a wide-array of publicly traded and private businesses with international operations. He has worked extensively with international internal audit, Sarbanes-Oxley and business consulting assignments in Europe, Russia, China, Southeast Asia, Central and South America and Canada. He has lectured on governance, risk and compliance. Experience Warren began his career with Arthur Andersen in the external audit practice and later in the internal audit services practice. Later, he joined DEKALB Genetics Corporation, a $500 million multi-national public company, as the Vice President of Internal Audit and Worldwide Consulting. Subsequent to DEKALB, Warren was a Managing Director at American Express Tax and Business Services and a Partner in the related attest entity of Altschuler, Melvoin & Glasser LLP and worked in the attest and business consulting areas. Professional certifications

  • Certified Public Accountant (Illinois)
  • Certified Internal Auditor
Memberships
  • American Institute of Certified Public Accountants; Illinois CPA Society
  • Institute of Internal Auditors
  • Board Member and Audit Committee Chair of Gateway Foundation, Inc., Chicago, IL
  • Advisory Board Member of CIBER (Center for International Business Education & Research) at University of Illinois at Urbana-Champaign
  • Board Member of the College of Business Alumni Association of the University of Illinois at Urbana-Champaign
Education Bachelor of Science in Accountancy -University of Illinois at Urbana – Champaign. Warren writes a regular column, Internal Audit Revolution, for CCI.

Related Posts

Fox_DOJ Speeches_f

Analysis of Recent DOJ Statements

by Corporate Compliance Insights
March 23, 2023

DOJ leaders provide insight into agency's plans. Analysis of Recent Statements DOJ Shaping the Future of Corporate Criminal Enforcement What’s...

Fox_2023 ECCP Update_f

2023 Evaluation of Corporate Compliance Programs

by Corporate Compliance Insights
March 23, 2023

Keeping up with 2023 changes to DOJ guidelines. Additions, Deletions & Changes From 2020 2023 Evaluation of Corporate Compliance Programs...

encompass update

Encompass Launches pKYC Maturity Model

by Corporate Compliance Insights
March 22, 2023

KYC automation platform Encompass has unveiled a new perpetual Know Your Customer (pKYC) maturity model designed to help banks improve...

consilio onna partnership

Consilio, Onna Seek to Streamline eDiscovery for Cloud Apps

by Corporate Compliance Insights
March 22, 2023

Legal technology provider Consilio has launched a new platform, Sightline Collect, powered by data management supplier Onna. The platform is...

Next Post
The SEC’s Financial Fraud and Accounting Task Force

The SEC’s Financial Fraud and Accounting Task Force

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT