PCI DSS Requirements

This is a brief compilation of PCI DSS requirements; it is possible to tell software from infrastructure responsibilities. PCI DSS fundamental requirements are 12 (twelve) that are categorized into six main containers as follows:

A. Build and maintain a secure network

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor supplied defaults for system passwords and other security parameters

B. Protect cardholder data

1. Protect stored cardholder data
2. Encrypt transmission of cardholder data across open, public, networks

C. Maintain a vulnerability management program

1. Use and regularly update anti-virus software
2. Develop and maintain secure systems applications

D. Implement strong access control measures

1. Restrict access to cardholder data by business need-to-know
2. Assign unique ID to each person with computer access
3. Restrict physical access to cardholder data

E. Regularly monitor and test networks

1. Track and monitor all access to network resources and cardholder data
2. Regularly test security systems and processes

F. Maintain an information security policy

1. Maintain a policy than addresses information security

Currently, PCI DSS 3.0 standard compliance should be observed. It is important to point that PCI DSS is focused on security, it tries to ensure that payments are made business-as-usual. No more, no less.

Security problems exists inside organizations. more that outside threats. Employees who do not follow adequate security principles can put their company´s data on risk. Consequently, the first step every organization needs to do is to educate its people on security habits.
PCI DSS 3.0 states that is mandatory to observe:

A. Increased security and Awareness

1. Password education for users
2. POS Security training and education

B. Greater Flexibility. 

It means that every organization can adopt the best security model, based on its business model and goals, that does not mean to implement weak security rules, but adopting the best solution. So, the new requirements in version 3.0 textually express the following

1. "Allows for organizations to implement the password strength that is appropriate for its security strategy"
2. "More flexibility to prioritize log reviews based on organization’s risk management strategy"

C. Security is a shared responsibility.

3.0 is clear and direct to state that security matters to all participants. Support, maintenance and development constitutes a main point to consider in this respect. Commonly, institutions rely on third parties for those tasks.  Outsourcing brings a security treat that apparently is outside business boundary, but it is not. Just think that if you have in-house solution, this means one point of failure but with outsourced services there are various points. Due this problem, PCI DSS 3.0 defined responsibilities that service providers must comply.

These days, other channel that demands special attention is mobile. Since mobile devices are very common and users tend to make a massive use of mobile networks and devices, close attention is needed to comply with version 3.0.

PCI DSS 3.0 started to be in effect by January 31, 2014 but  organizations responsible for complying  with PCI DSS and PCI App Data Security have until January 2015, it means that version 2.0 will be accepted as valid until December 2014.

To summarize, the  new requirements for PCI DSS are:

• 5.1.2 - evaluate evolving malware threats for any systems not considered to be commonly affected;
• 8.2.3 - combined minimum password complexity and strength requirements into one, and increased flexibility for alternatives;
• 8.5.1 - for service providers with remote access to customer premises, use unique authentication credentials for each customer;
• 8.6 - where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates) these must be linked to an individual account and ensure only the intended user can gain access;
• 9.3 - control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination;
• 9.9 - protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution;
• 11.3 and 11.3.4 - implement a methodology for penetration testing. If segmentation is used to isolate the cardholder data environment from other networks, perform penetration tests to verify that the segmentation methods are operational and effective;
• 11.5.1 - implement a process to respond to any alerts generated by the change-detection mechanism;
• 12.8.5 - maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity;
• 12.9 - for service providers, provide the written, agreement/acknowledgment to their customers as specified at requirement 

and the new requirements for Application Data Security Standards (PA-DSS) are:

• 5.1.5 – payment application developers to verify integrity of source code during the development process;
• 5.1.6 – payment applications to be developed according to industry best practice for secure coding techniques;
• 5.4 - payment application suppliers to incorporate versioning methodology for each payment application;
• 5.5 - payment application suppliers to incorporate risk assessment techniques into their software development process;
• 7.3 - application supplier to provide release notes for all application updates; ( I like this one)
• 10.2.2 - suppliers with remote access to customer premises (for example, to provide support/maintenance services) use unique authentication credentials for each customer;
• 14.1 – provide information security and PA-DSS training for supplier personnel with PA-DSS responsibility at least annually.

Please refer to PCI official site for further information on changes from version 2.0 to 3.0