Data Protection

PCI DSS 3.2: A focus on Third Parties

PCI DSS version 3.2 is available for use now and becomes the only valid standard when version 3.1 is retired on 31 October 2016. The new requirements introduced in the standard are considered best practices until 31 January 2018. Starting 1 February 2018, they will be effective as requirements. Third Parties are an area of considerable risk for organisations (as well as an opportunity). One could take all reasonable measures to protect their internal network just to find that weaknesses with the controls with a third party service provider result in a data breach. Hackers may target third party systems hoping controls are weaker and they gain access to valuable customer data e.g. payment card details. PCI DSS 3.2 requires service providers to demonstrate that they are continually protecting cardholder data. Compliance with PCI DSS is not just a periodic exercise; rather controls should be subject to continuous monitoring. New requirements in PCI DSS 3.2 for service providers emphasise the importance of validating that security controls are in place and working effectively, for example: •Reporting on failures of critical security control systems: Formal processes for the prompt detection and alerting of critical security control failures must be in place to ensure failures do not go undetected for extended periods and provide attackers ample time to compromise systems and steal data. •Conducting regular penetration testing on segmentation controls, at least every six months: For service providers, validation of PCI DSS scope should be performed as frequently as possible. •Performing reviews at least quarterly, to confirm personnel are following security policies and operational procedures: The purpose of these independent checks is to review evidence that confirms security activities are being performed as designed. These reviews can also be used to verify that appropriate evidence is being maintained, for example, audit logs, vulnerability scan reports, firewall reviews, etc. •Establishing responsibility for protection of cardholder data and the PCI DSS compliance program at the executive management level: Executives need to be fully aware and able to ask questions. The link below provides access to a full copy of PCI DSS 3.2:
You must sign in to rate content.


There are no comments yet for this post.

Leave a Comment

You must be logged in to post a comment.