By Jeff Man, Security Strategist and Evangelist, Tenable Network Security, exclusively for CardNotPresent.com
When the PCI Security Standards Council (PCI SSC) published version 3.0 of the Payment Card Industry Data Security Standard (PCI DSS) in November 2013, there were several changes the organization felt were significant enough to warrant a grace period. That reprieve came to an end June 30, 2015, when those changes morphed from “best practice” to “requirement.” There are five new requirements found in PCI DSS v3.0/3.1 that went into effect on that date. The third and final article in this series will examine the requirements that outline a company’s PCI compliance responsibility when dealing with outside vendors.
When PCI DSS v3.0 was first published in November 2013 there was a lot of attention given to what many considered to be the biggest change to the standard at the time, which was the greatly expanded definition of penetration testing and the requirement for companies subject to PCI compliance to implement a documented penetration testing methodology ( covered in the first installment of this series ). But as time has passed and events have unfolded, the new requirements that are directed at service providers might prove to be the most important and meaningful changes made to the PCI DSS to date.
There have been numerous payment card breaches in the past eighteen months that were successfully conducted through