Preparing for PCI DSS 3.0 Reporting and Auditing

In our previous blog article about PCI DSS 3.0, we talked about how an overarching theme of the new and updated requirements is making payment security part of your business-as-usual workflow, instead of a quarterly event. While that was always the case with PCI, the new requirements make it even more explicit. And although this is a great development from a security perspective, it likely means that you’ll need to spend more time reporting and preparing for audits. Here are a few examples of what to watch out for as you prepare for PCI DSS 3.0 compliance:

Examples
 

You’ll need to collect and report on data you might not be reporting on currently.

 

2.4: 2.4: Maintain an inventory of system components that are in scope for PCI DSS.

Testing Procedures:

  • Examine system inventory to verify that a list of hardware and software components is maintained and includes a description of function/use for each.
  • Interview personnel to verify the documented inventory is kept current.
 

You’ll need to protect additional systems.

 

5.1.2: For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software.

Testing Procedures

  • Interview personnel to verify that evolving malware threats are monitored and evaluated for systems not currently considered to be commonly affected by malicious software, in order to confirm whether such systems continue to not require anti-virus software.

Consider maintaining documentation that shows where management regularly reviews and approves of your organization’s exception(s) to the malware and anti-virus requirements of the standard. That way there won’t be any question as to the validity of the exception(s).

 

You’ll need to document new areas.

 

12.8.5: Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.

Testing Procedures

  • Verify the entity maintains information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.

Depending on what you’re currently doing, these requirements may require no change, or they may require significant changes to your organization’s PCI auditing and reporting procedures. If they’re new, spend some time now figuring out how you’ll address them. There may be good options freely available to help you. For example, for Requirement 2.4, if you need help creating an inventory and are cost-constrained, check out this recent Dark Reading article: “Free or Low Cost Network Discovery Tools.” For Requirement 12.8.5, if you’re working with a service provider, have a conversation about what documentation is available on the services they’re providing. If you’re working with Alert Logic and would like to see documentation for our products and services, contact your partner or account manager and ask for the Service Definition document for your product or service.