Nov 13, 2013

PCI DSS 3.0 - An Overview of Latest Changes

In today's Whiteboard Wednesday Nate Crampton, Product Marketing Manager for Nexpose, will break down the latest changes included in PCI 3.0 Watch this quick video to learn about the new requirements.

Read Video Transcript

Welcome to this week's Whiteboard Wednesday. My name is Nate Crampton and I am product manager here at Rapid7. I would like to talk to you about the PCI DSS 3.0 standard. It is just super exciting. It is actually going to affect all the merchants. So anyone that's processing credit cards all the way from level one all the way to level four, everyone really needs to pay attention to this.

There is only three focuses of the new standard itself. You know, there are some additional documentation the ones you create which everyone loves, I'm sure. They also want you to be aware of your particular environment and they also want to update based upon some evolving threats that are out there.

Now, if you look at the standard from 2.0 and 3.0, there are really three main things that are changing, three big buckets. The first bucket is the clarifications, this is anything that they want to add additional information tab that actually understand with the intent of the requirement is.

There is also additional guidance. So this is additional information to help you actually understand what the requirement means because sometime you know, there is only interpretation that you can make and they want to help, provided that there is guidance for you. And the last thing is, there is an evolving requirement, so there is emerging threats out there and the market is changing itself. So they really wanted to add some new requirements that are actually you know, keep, refresh 2.0 to a new version itself.

Now if you look at it, now granted this is just a draft. It's planning on being published on November 7th, but if you look at even what it is today you know, there is 71 clarifications, there is 5 expected guidance changes there is 22 evolving requirements and see if the majority of everything are just additional clarification you know, not too much to worry about.

But there are 22 evolving requirements. This includes some additional documentation you are going to need to create. It also includes some new security practices that you are going to have to implement.

Now if you look at this timeline itself, November 7th, that's what it is planning on being published; January 1st, that's the effective date, January 2014. So this is when the new standard is basically being in effect. But because even though there are 71 clarifications, there are still 21 long requirements, it is actually can take a little bit longer to implement these things. So they actually give you until January 1st 2015 in order to be compliant.

Now there is an asterisk here because some of the evolving requirement they do realize is going to take a little bit longer. So what they have done is each of their clients will be called out. I think it is probably like you know, a handful of them but those particular requirement need to be in effect July 1st 2015.

Now you may look at this timeline and say, "Hey, we are over a year to become compliant" but I strongly recommend that you don't wait until next year to start to worry about these standards. On November 7th when it comes out I really recommend that you download it, you look at it, you figure how it is going to affect your organization and then you plan yourself accordingly. And that's all I have for this Whiteboard Wednesday. We will see you next week.

Free Nexpose Download

Conduct required vulnerability scans for PCI compliance with Nexpose

Get Started