Congratulations to ManagePay Services Sdn Bhd for re-certifying under PCI v3.0. They are the first among our clients who achieve V3.0!
PCI v3.0 maintained the 12 main requirements from PCIv2. PCI DSS v3.0 is effective January 1st 2014, but organisations are given the choice to comply to either v2 or v3 in 2014. All certifications in 2015 (MPSB included) is certified under v3.0. Under v3.0 however, major changes include:
a) Testing of segmentation adequacy through penetration testing
This determines whether segmentation had been done properly. We have seen many implementation where ‘segmentation’ was supposedly implemented, but we found that route between network had unfiltered access between zones. This will ensure whether CDE is properly isolated from non-scoped access.
b) Validation of 3rd party providers
PCI-DSS compliance must be validated if card holder data is being shared out to 3rd party providers. This is either through their own AOC (like AWS), or an agreement to participate in the customer’s PCI program.
c) Business as Usual
By far, this is the most challenging to us. Most of organisations undergoing PCI-DSS struggle in the second and third year re-certification as they need to demonstrate compliance in everyday activities and not just during audit period.
d) Protection of POS
Most of the issues of recent times like Target are due to POS Malware exploitation.V3.0 requires companies to maintain inventory and maintaining POS from being tampered with as well as periodic training.
Of course, v3.0 covers a lot more than these. For a more detailed look at PCIv3.1 and how it affects your organisation, you can contact avantedge@pkfmalaysia.com. Or you can join our monthly PCI training, which is HRDF claimable, the latest schedule is at http://www.pkfavantedge.com/training-programs/.