you're reading...

What You Need to Know About PCI DSS 3.0 – Closed to Risk, Open to Business

We’ve been closely following all the revelations about the recent massive credit card breach at Target stores in the U.S., which was soon followed by news of credit card theft from Neiman Marcus and Michael’s stores. Corey Nachreiner has done a great job of summarizing the chain of events in a recent blog post.

It is likely that all the retailers such as Target, Michael’s, and Neiman Marcus, had passed their PCI compliance audits. But, malware was used to scan credit card data from RAM of the Point of Sale (POS) systems, and it looks like the hackers broke into the IT infrastructure at Target using some stolen 3rd party vendor credentials. The net result is that consumer confidence in the safety of credit card data is probably even lower today than it was back in 2004, when the PCI standard was first introduced. In the wake of these breaches, many people, including Gartner analysts, have been asking if the PCI standard is worthwhile.

PCI is not the panacea for all credit card loss. It is a basic set of security controls that codifies common sense security practices. Compliance is not security. Passing an annual audit for the PCI standard does not guarantee the safety of your customers’ data. Much like getting a driver’s license does not mean that you will never crash a car. You need to remain always vigilant.

It is debatable if the standard is adapting fast enough, but it is still important for affected security pros to stay current with latest updates. To help you, WatchGuard has just finished a new webinar on credit card security and the updates to PCI DSS 3.0 titled, “Closed to Risk, Open for Business.”

PCI DSS is a fairly mature standard now. Most of the changes in PCI DSS version 3.0, which was published in November 2013 and took effect in January, are in place to clear up any points of confusion between QSAs and the companies that they audit.


In fact, 62 of the listed changes are Clarifications, another 5 are Additional Guidance, and there are 19 more significant updates that fall in the category of Evolving Requirements. The Evolving Requirements are probably the most significant, and some of the key new areas of emphasis include:

  • Combined password strength requirements.
  • Relationship and responsibilities of third party vendors and cloud providers.
  • Better documentation of the scope – Network diagrams should not include cardholder data flows; Maintain an inventory of systems in scope, and an inventory of wireless access points.

To find out more details about PCI DSS and what’s new in version 3.0, you can watch the full WatchGuard webinar here.


About brendanpatt

Brendan Patterson is a Director of Product Management at WatchGuard Technologies, with responsibility for the WatchGuard Fireware operating system. He has worked closely with WatchGuard's security partners to deliver best of breed security services for the UTM platform. Brendan is a Certified Information Systems Security Professional (CISSP) with over 15 years experience in security and networking technologies. Prior to WatchGuard, Brendan was Vice President of Marketing at The PowerTech Group, a leader in enterprise security solutions for IBM mid-range servers. He was instrumental in expanding the product line and the successful launch of two new regulatory compliance products. Brendan has a master's degree in the Management of Technology from the Massachusetts Institute of Technology, Cambridge, Mass., and a bachelor's degree in Mechanical Engineering from the National University of Ireland.


No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: