The PCI DSS (Payment Card Industry Data Security Standard) is in a release cycle this year, meaning version 3.0 will be released shortly. At this year’s recent Community Meeting of the PCI Security Standards Council, much discussion centered on the new version of the standard, which is why both me and our Chief Risk Officer, Jeff Reich, attended.
At Layered Tech, we’re busy preparing for the new DSS since a significant number of our clients must meet the requirements, and that same number utilize Layered Tech to handle the majority of the requirement controls on their behalf. We validate our coverage of the DSS controls through a Level 1 Service Provider Report on Compliance that our clients can use during their assessments.
Layered Tech could still assess against PCI DSS 2.0 in January 2014. The industry is allowed to use version 2.0 for a while yet, and it would be easy for Layered Tech to do since we have already passed on that version already. However, there is a chance that a client would want to assess against PCI DSS 3.0 before the end of 2014, but could not do so due to the interdependency on Layered Tech’s PCI DSS 2.0 report. With this in mind we always try to be assessed on new standards as quickly as possible.
Since all new DSS versions come out at the end of the cycle year, and we must have our assessment done by the following May to remain a valid service provider, Layered Tech can find itself in a bit of a time crunch. Each new standard must be analyzed for changes that could significantly impact how our compliant services are delivered. This year is no different and could have some real impact. As of this writing, we only have the Version 3.0 Change Highlights document to refer to. But this, and some information provided at the Community Meeting, is pointing to some changes in authentication requirements and the combining of some requirements which could impact our services.
Between now and January, we must implement any service changes needed, brief our clients on those changes, and get our QSA (Qualified Security Assessor) designation on-board with a DSS 3.0 assessment. All of that has to happen before the actual assessment, which itself can be time consuming. I have my work cut out for me, but I have no doubts that we will be successful. After all, Layered Tech has been dealing with this for a while, and we have a proven success record. When DSS 2.0 came out, we were ready and able to deliver services seamlessly while providing an up-to-date ROC (Report on Compliance) to all our compliant clients.
About the Author: As Director of Compliance and Security services, Ed Welsh maintains and guides a dedicated team in the delivery of Layered Tech’s compliance and audit services. Ed’s 16 years in IT security includes network and web application security experience from positions in the Financial Industry, HRBlock, Fishnet Security, and independent contracting. He holds a CISSP certification and has been successfully implementing PCI compliant hosting solutions for the last 5 years.