- PCI DSS v 3.2 Compliance
Sourcefit has earned and maintains a PCI DSS v 3.2 Compliance certification. This certification further demonstrates our commitment to giving the highest quality of service and our dedication to the continuous improvement of our systems.
- What is PCI DSS v 3.2 Compliance?
PCI DSS v 3.2 compliance is the process of adhering to the new Payment Card Industry Data Security Standard (PCI DSS) requirements on a regular basis. PCI DSS is a compilation of standards to help companies maintain a secure environment when accepting, processing and storing credit card information. The PCI DSS aims to reduce credit card fraud through increased controls around cardholder data. The PCI DSS constantly evolves to improve payment account security in response to industry issues and trends.
The Payment Card Industry Security Standards Council (PCI SSC) is responsible for administering and managing the PCI DSS, while payment brands (such as Visa, MasterCard, American Express, Discover and JCB) are responsible for enforcing compliance. Sourcefit received the PCI DSS compliance certification and validation conducted by an external Qualified Security Assessor (QSA).
PCI DSS version 3.2 Updates
Version 3.1 of the PCI DSS expired on October 31, 2016 and was replaced by PCI DSS v 3.2. In version 3.2, new requirements were added to the PCI DSS from the Designated Entities Supplemental Validation (DESV) criteria, and some existing requirements were expanded to include DESV controls for service providers. Version 3.2 provides greater assurance that security will remain up to standards for both service providers and their customers.
The PCI SSC has urged companies to adopt the new standard as soon as possible to prevent and respond appropriately to potential attacks that can lead to payment data security breaches.
- PCI DSS v 3.2 Compliance Benefits
Benefits to the Organization
Improved security controls.
New devices constantly being added to company networks make it easier for cardholder data security to be compromised. For example, an individual who is unaware of security and data protection standards can inadvertently introduce viruses after connecting a mobile device to the company’s network.
PCS DSS v 3.2 improves security controls by helping organizations focus on adaptive compliance, such as having processes in place to analyze how changes can affect security controls and the data environment. Instead of relying on the annual validation, building validation into management processes ensures up to date device configuration standards and security controls that can adapt to changes on the fly.
More efficient reporting of and response to security changes.
PCS DSS v 3.2 helps introduce new processes that simplify compliance responsibilities and make reporting of security changes and incidents within the organization more efficient. These processes also help decision makers to view security controls as something that evolves and adapts with the company and data environment, and not just a yearly assessment.
Benefits to Outsourcing Services Customers
New rules in PCS DSS v 3.2 entail having formal processes in place for identifying and reporting these system failures. The PCI SSC encourages all organizations to adopt similar measures to enhance security based on their unique environment.
In addition, service providers must also perform penetration testing on segmentation controls every six months to show that the segmented environment is isolated. Validation should be conducted as frequently as possible to ensure that controls are up to date and working properly.
Under new rule 12.4.1, executive management of service providers are also required to establish a PCI DSS compliance program. Managers can delegate roles to units within the organization, but executive involvement is important for visibility.
Quarterly reviews for service providers.
PCI DSS v 3.2 requires services providers to perform quarterly reviews of security policies and procedures. Reviews determine whether or not security controls are operating as expected and important records (vulnerability scan reports, audit logs, etc.) are being maintained.
Performing all these PCI DSS v 3.2 compliance measures help improve and maintain a high standard of company systems and network security.
Benefits to the Community
Improved customer experience and relationships.
PCI DSS compliance is a significant boost to customer confidence and the overall customer experience. Ongoing PCI DSS compliance demonstrates an organization’s commitment to the highest security standards that protect customer information and prevent security breaches. PCI DSS compliance encourages potential leads to become customers because they trust you with their card information. For existing clients, compliance encourages repeat purchases.