As the Jan. 1, 2015 mandatory deadline for compliance with the Payment Card Industry Data Security Standard version 3.0 approaches, there is increasing urgency to not only understand the most important changes in PCI DSS 3.0, but also to be ready for a rigorous QSA assessment against those changes. Since PCI 3.0 is bigger, harder and more expensive than the previous iteration, merchants have their work cut out for them.
In this special presentation, PCI DSS expert Nancy Rodriguez offers a detailed review of what's new in PCI DSS 3.0 to help enterprises understand how to augment existing PCI compliance programs to comply with the new standard.
See the following resources recommended by the speaker:
- To learn more about the additional key management best practices, download NIST Special Publication 800-57, "Recommendations for Key Management: Parts 1, 2 & 3."
- For those systems that cannot meet the minimum length of at least seven alphanumeric characters, PCI DSS now allows for use of passwords with "equivalent strength," called password entropy. Refer to NIST Special Publication 800-63-1.
- Examples of risk assessment methodologies include (but are not limited to):
- OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation)
- ISO 27005
- NIST SP 800-30
Rodriguez begins with a summary of the nearly 100 total changes in PCI 3.0, highlighting that only about 20% of them are brand-new requirements. She also discusses the increased importance on business-as-usual compliance and vendor management and oversight, as well as how the PCI Prioritized Approach paradigm should be used to reduce risk while working to achieve PCI compliance.
Rodriguez dives into the specific language changes to the requirements of PCI DSS 3.0. She covers how network diagrams and system component inventories must be changed, how malware assessment antimalware system integrity must be managed, and how application coding practices must be reviewed, followed by a host of additional changes to PCI requirements 8-12.
Mike Chapple helps organizations assess their readiness for PCI DSS 3.0
Learn about open source PCI DSS: A strategy for cheaper, easier PCI compliance
About the speaker:
Nancy Rodriguez is global PCI compliance director for a large multinational electronics vendor. She has more than a decade of experience in PCI DSS compliance program creation and management, with special expertise in stakeholder coordination, risk assessment and management, policies and procedures, training and awareness, auditing and monitoring, disciplinary standards and evidence, and incident/event management. Previously she helped build and manage the PCI compliance program for Citigroup, and has also served on the PCI Security Standards Council Board of Advisors.