Filter by Category

15 Days to PCI DSS 3.2: Preparing Your Organization for Compliance

pci dss 3.2 readiness checklist

There are two weeks left until February 1, 2018, the date PCI DSS 3.2 becomes enforceable.

In these final weeks, you may be wondering if you’ve checked all the boxes for 3.2 compliance. If you haven’t, is there enough time to prepare? What’s the risk of leaving it up to chance? Preparing to comply may seem labor-intensive, but if your organization fails a PCI DSS audit, you could face hefty fines.

RELATED WHITE PAPER: What’s New in PCI Data Security Standard 3.2

We understand these concerns, and we’re here to help. If you’re looking down the barrel of February’s deadline, get started with this PCI DSS 3. readiness checklist to identify where you’re on track and what still needs to be done.

14-Day Readiness Checklist for Compliance Changes

PCI DSS Goal

Details

Review the contents of PCI DSS 3.2

It’s never a bad idea to refresh your PCI knowledge. You can find all the requirements and details here.

Identify which changes in version 3.2 apply to you

Some of the changes in PCI DSS 3.2 affect everyone, while others only affect service providers. Use this article to determine which requirements apply to you.

Update your card data flow diagram

PCI DSS requirement 1.1.3 obligates organizations to diagram and maintain their card data flows. We recommend updating your flows to ensure all cardholder data is properly accounted for.

Enforce multi-factor authentication (MFA) for all non-console admin access

PCI DSS requirement 8.3 has made MFA mandatory for non-console admin access to cardholder environments. Now is a good time to update any processes that may hinder this transition to MFA.

Record any employees who have access to unmasked Primary Account Numbers 

Only the first six/last four digits of a PAN are allowed to be displayed. The rest must be masked. Those who can see more than these digits must be documented and given a legitimate business need for their access.

Create a policy for setting up security controls in your Cardholder Environments (CDEs)

New in PCI DSS 3.2, any changes made to a CDE must be immediately followed with proper security controls. PCI DSS requirements impacted by CDE changes must then be re-verified to ensure continued compliance with all standards.

Encrypt your data in transit and at rest

PCI data should always be encrypted when in transit and at rest. Use a secure file transfer solution to ensure your data is always protectedno matter where it’s stored.

Ensure cardholder data is sent using secure communication methods

If cardholder data must be sent from one device to another, make sure it’s transferred through protected shared folders, secure mail, or encrypted collaboration, not regular email or text.

Apply firewalls to all portable devices that access the Internet and your CDE

PCI DSS requirement 1.4 requires employee devices that access the Internet and your environment to have frequently-monitored firewalls. You might check to ensure your data is kept out of the DMZ as well. A file transfer solution can help with this.

Review your users’ permissions and restrict access where needed

Requirement 7.1.2 looks for organizations to create an employee-wide, “least-privilege” policy. This ensures that only users with an actual business need can access sensitive cardholder information.

Perform quarterly reviews with your security personnel

If you’re a service provider, the newest version of PCI DSS requires you to perform quarterly reviews with your personnel. This ensures that security practices are being followed and risks are being mitigated.

Educate your team on any updates to your processes

Once you have everything in place for PCI DSS compliance, start a conversation with your team to ensure they understand how PCI DSS 3.2 affects their daily routine. Talking points might include the move to MFA and any further masking of your PANs.

Plan your migration from SSL and early TLS migration to TLS 1.1 or TLS 1.2

SSL and early TLS migration isn’t enforceable until July 1, 2018, but that doesn’t mean you can’t start the process now. Learn more about this requirement on the PCI Security Standards Council website.

 

RELATED READING: 7 Essential Resources on PCI DSS Security

While this checklist is a great place to start, make sure you review the official PCI DSS document library for the full summary of the changes in 3.2.

Are Your Data Transfers PCI Compliant?

GoAnywhere MFT can help you test over 60 security settings in your GoAnywhere environment with the PCI DSS Security Settings Audit Report. This report outputs a PDF that shows you how each area of the solution performed against PCI DSS 3.2.

There are five possible outcomes for each setting tested.

  • Pass: The setting meets the PCI DSS requirement.
  • Fail: The setting does not meet the PCI DSS requirement.
  • Warning: You should look into this issue further to determine if you are compliant.
  • Not Applicable: A check on this setting is not required.
  • Fatal: A configuration problem is preventing GoAnywhere from accessing the appropriate data.

In addition to determining status outcomes, the report will give you recommended actions on how to remedy failed/warning areas and list which section of PCI DSS each security check applies to.

See the report in action.

We’d love to walk you through our PCI reporting. To learn how GoAnywhere can help you meet PCI DSS 3.2 requirements for file transfer encryption, role-based security, and auditing, simply request a demo and mention the PCI DSS Security Settings Audit Report in the comment box.

Request a Demo

 

 

Add a Comment

Allowed tags: <b><i><br>

Latest Posts


What is FTPS?

December 4, 2018

Whether you’re looking to upgrade from your current FTP file transfers or have new requirements from a trading partner or customer, you might be wondering what FTPS is. How does it work, you…


Need an Alternative to AMRDEC SAFE’s File Service? Start Here

November 29, 2018

AMRDEC SAFE Shut Down Due to Security Issues Bad news for the U.S. army: AMRDEC SAFE, the Army Aviation and Missile Research Development and Engineering Center Safe Access File Exchange service that…


How 3 Financial Institutions Solve File Transfer Needs with MFT Software

November 26, 2018

On a scale of 1-10, how would you rate the efficiency of your file transfers right now? If you use manual scripts, legacy software, or a myriad of free tools to balance your encryption, automation,…


Recent 2018 Data Breaches in Healthcare (and How to Avoid Them)

November 14, 2018

Phishing attacks, malware, and employee errors. These are three of the most recent causes for healthcare data breaches in 2018, with more certainly to come. The year isn’t over yet. For anyone…


Which is Better: SFTP vs. MFT?

November 6, 2018

SFTP, or MFT: that is the question. Even though we’re not all famous poets like William Shakespeare, many IT professionals will ask this question at some point or another. Should they use an…