PCI DSS is a globally recognized compliance standard that all organizations must follow whenever storing, processing, and transmitting credit card information.

1. If you would like
more information
on our services,
please contact:
Tony Munns, FBCS, CITP,
CIRM, CISA
Partner,
Advisory Services
314.983.1297
amunns@bswllc.com
Michael Springer, CISSP,
GPEN, CEH, QSA
Supervisor,
Advisory Services
314.983.1374
mspringer@bswllc.com
Key New Requirements
Added to PCI DSS 3.0
PCI DSS is a globally recognized compliance standard that all organizations, including merchants
and service providers, must follow whenever storing, processing and transmitting credit card
information. Organizations should put in the effort now to prepare for compliance with PCI DSS 3.0,
which companies are required to have in place before the January 1, 2015 deadline.
PCI DSS 3.0 comprises 12 high-level requirements, and contained in these are well over 200 sub-
requirements pertaining to managing the security of people, processes and technologies.
Here are the key new requirements:
St. Louis, MO
St. Charles, MO
Glen Carbon, IL
Toll-Free 1.888.279.2792
bswllc.com
Requirement #1 - Install and maintain a firewall configuration to protect cardholder data
• 1.1.3 – New requirement that current diagram must show all cardholder data flows across
systems and networks.
Requirement #2 - Do not use vendor-supplied defaults for system passwords and parameters
• 2.4 – New requirement to maintain an inventory of system components in scope for PCI DSS to
support development of configuration standards.
Requirement #5 - Protect all systems against malware and regularly update anti-virus
• 5.1.2 – New requirement to evaluate evolving malware threats for any systems not considered to
be commonly affected by malicious software.
• 5.3 – New requirement to ensure that anti-virus solutions are actively running (formerly in 5.2),
and cannot be disabled or altered by users unless specifically authorized by management on a
per-case basis.
Requirement #6 - Develop and maintain secure systems and applications
• 6.5.10 – New requirement for coding practices to protect against broken authentication and
session management.
Requirement #8 - Identify and authenticate access to system components
• 8.2.3 – Combined minimum password complexity and strength requirements into single
requirement, and increased flexibility for alternatives that meet the equivalent complexity and
strength.
• 8.5.1 – New requirement for service providers with remote access to customer premises to use
unique authentication credentials for each customer.
• 8.6 – New requirement where other authentication mechanisms are used (for example, physical
or logical security tokens, smart cards, certificates, etc.) that the mechanisms must be linked to
an individual account and ensure only the intended user can gain access with that mechanism.
Requirement #9 - Restrict physical access to cardholder data
• 9.3 – New requirement to control physical access to sensitive areas for onsite personnel,
including a process to authorize access, and revoke access immediately upon termination.
• 9.9.X – New requirements to protect devices that capture payment card data via direct physical
interaction with the card from tampering and substitution.
continues on next page >
1

2. Requirement #11 - Regularly test security systems and processes
• 11.1.X – Enhanced requirement to include an inventory of authorized wireless access points
and a business justification (11.1.1) to support scanning for unauthorized wireless devices, and
added new requirement 11.1.2 to align with an already-existing testing procedure, for incident
response procedures if unauthorized wireless access points are detected.
• 11.3 – New requirement to implement a methodology for penetration testing.
• 11.3.4 – New requirement, if segmentation is used to isolate the CDE from other networks, to
perform penetration tests to verify that the segmentation methods are operational and effective.
• 11.5.1 – New requirement to implement a process to respond to any alerts generated by the
change-detection mechanism (supports 11.5).
Requirement #12 - Maintain a policy that addresses information security for all personnel
• 12.2 – Moved former requirement 12.1.2 for an annual risk assessment process to 12.2, and
clarified that the risk assessment should be performed at least annually and after significant
changes to the environment.
• 12.8.5 – New requirement to maintain information about which PCI DSS requirements are
managed by each service provider, and which are managed by the entity.
• 12.9 – New requirement for service providers to provide the written agreement/
acknowledgment to their customers as specified at requirement 12.8.
2
5 Tips for Managing PCI Compliance in Any Organization
1. Focus on Scoping: Utilize network segmentation or other strategies to help limit or
reduce the scope of the PCI DSS 3.0 requirements.
2. Reduce Costs: Additional scope-reducing techniques are often recommended, such as
tokenization and outsourcing, which further help to reduce the cost and complexity of correctly
implementing PCI DSS 3.0.
3. Make It a Team Effort: Compliance needs to be a part of everybody’s job—from
executives and the IT security team to staff and administrators.
4. Think of Compliance Year-Round: In order to be effective, compliance must be
an ongoing effort and worked into a wider risk management strategy.
5. Leverage Compliance as an Opportunity: Take a fresh look at systems and
reevaluate the processes that affect your business.
To discuss managing PCI compliance in your organization, contact Tony Munns at 314.983.1297 or
amunns@bswllc.com, or Michael Springer at 314.983.1374 or mspringer@bswllc.com.