Five PCI DSS 3.0 “Best Practices” About to Become Required

May 18, 2015 • Published Categories Industry Topics Tags , , , , , , ,

When PCI DSS v3.0 became effective January 1, 2015, businesses were allowed an additional six months’ leeway on a handful of requirements. During that time period, these “evolving requirements” could be considered “best practices” rather than must do’s.

As of July 1, 2015, however, these 5 best practices will become required:

  • 6.5.10 – Requires specific coding practices to protect against broken authentication and session management (impacted SAQs: SAQ A-EP, SAQ D-Merchant, SAQ D-Service Provider);
  • 8.5.1 – Requires that service providers with remote access to customer premises use unique authentication credentials for each customer (impacted SAQ: SAQ D-Service Provider);
  • 9.9.x – Requires that devices capturing payment card data via direct physical interaction with the card be protected from tampering and substitution (impacted SAQs: SAQ C, SAQ B, SAQ B-IP, SAQ D-Merchant, SAQ D-Service Provider);
  • 11.3 – Requires a methodology be implemented for penetration testing (impacted SAQs: SAQ A-EP, SAQ D-Merchant, SAQ D-Service Provider); and
  • 12.9 – Requires that service providers provide the written agreement/acknowledgment to their customers as specified at requirement 12.8 (impacted SAQ: SAQ D-Service Provider).

As you can see, awareness of these changes is especially important for those undergoing a QSA (Qualified Security Assessor) audit or self-attesting using one of the more complex SAQs (i.e., SAQ A-EP, SAQ D-Merchant and SAQ D-Service Provider).

Common Questions and their Answers

  • Question: If I completed my most recent SAQ in November, 2014, using version 2.0 of the PCI DSS, will I have to start adhering to the above requirements on July 1, 2015?

    Answer:
    No, you are good until November, 2015. That said, the PCI DSS 3.0 represents a very solid set of security practices, so we highly recommend that you look at them and follow them now as a minimum set of best practices.
  • Question: If I completed my most recent SAQ in March, 2015, using version 3.0 of the PCI DSS, will I have to start adhering to the above requirements on July 1, 2015?

    Answer:
    No, you are good until March, 2016. That said, these evolving requirements represent a very solid set of security practices, so we highly recommend that you look at them and follow them now as a minimum set of best practices.
  • Question: What about PCI DSS v3.1? Aren’t those new requirements in effect?

    Answer:
    PCI DSS 3.1 was released last month, but the new requirements don’t become effective until July 1, 2016. You know what I am going to say here, right?  The PCI DSS 3.1 changes represent a very solid set of security practices, so we highly recommend that you look at them and follow them now as a minimum set of best practices.

Want to learn more about how the PCI DSS applies to your business or small business data security in general? Click here or give us a call at 1-800-825-3301 x 2. We’d be happy to help.

Leave a Comment