Filter by Category

15 Days to PCI DSS 3.2: Preparing Your Organization for Compliance

pci dss 3.2 readiness checklist

There are two weeks left until February 1, 2018, the date PCI DSS 3.2 becomes enforceable.

In these final weeks, you may be wondering if you’ve checked all the boxes for 3.2 compliance. If you haven’t, is there enough time to prepare? What’s the risk of leaving it up to chance? Preparing to comply may seem labor-intensive, but if your organization fails a PCI DSS audit, you could face hefty fines.

RELATED WHITE PAPER: What’s New in PCI Data Security Standard 3.2

We understand these concerns, and we’re here to help. If you’re looking down the barrel of February’s deadline, get started with this PCI DSS 3. readiness checklist to identify where you’re on track and what still needs to be done.

14-Day Readiness Checklist for Compliance Changes

PCI DSS Goal

Details

Review the contents of PCI DSS 3.2

It’s never a bad idea to refresh your PCI knowledge. You can find all the requirements and details here.

Identify which changes in version 3.2 apply to you

Some of the changes in PCI DSS 3.2 affect everyone, while others only affect service providers. Use this article to determine which requirements apply to you.

Update your card data flow diagram

PCI DSS requirement 1.1.3 obligates organizations to diagram and maintain their card data flows. We recommend updating your flows to ensure all cardholder data is properly accounted for.

Enforce multi-factor authentication (MFA) for all non-console admin access

PCI DSS requirement 8.3 has made MFA mandatory for non-console admin access to cardholder environments. Now is a good time to update any processes that may hinder this transition to MFA.

Record any employees who have access to unmasked Primary Account Numbers 

Only the first six/last four digits of a PAN are allowed to be displayed. The rest must be masked. Those who can see more than these digits must be documented and given a legitimate business need for their access.

Create a policy for setting up security controls in your Cardholder Environments (CDEs)

New in PCI DSS 3.2, any changes made to a CDE must be immediately followed with proper security controls. PCI DSS requirements impacted by CDE changes must then be re-verified to ensure continued compliance with all standards.

Encrypt your data in transit and at rest

PCI data should always be encrypted when in transit and at rest. Use a secure file transfer solution to ensure your data is always protectedno matter where it’s stored.

Ensure cardholder data is sent using secure communication methods

If cardholder data must be sent from one device to another, make sure it’s transferred through protected shared folders, secure mail, or encrypted collaboration, not regular email or text.

Apply firewalls to all portable devices that access the Internet and your CDE

PCI DSS requirement 1.4 requires employee devices that access the Internet and your environment to have frequently-monitored firewalls. You might check to ensure your data is kept out of the DMZ as well. A file transfer solution can help with this.

Review your users’ permissions and restrict access where needed

Requirement 7.1.2 looks for organizations to create an employee-wide, “least-privilege” policy. This ensures that only users with an actual business need can access sensitive cardholder information.

Perform quarterly reviews with your security personnel

If you’re a service provider, the newest version of PCI DSS requires you to perform quarterly reviews with your personnel. This ensures that security practices are being followed and risks are being mitigated.

Educate your team on any updates to your processes

Once you have everything in place for PCI DSS compliance, start a conversation with your team to ensure they understand how PCI DSS 3.2 affects their daily routine. Talking points might include the move to MFA and any further masking of your PANs.

Plan your migration from SSL and early TLS migration to TLS 1.1 or TLS 1.2

SSL and early TLS migration isn’t enforceable until July 1, 2018, but that doesn’t mean you can’t start the process now. Learn more about this requirement on the PCI Security Standards Council website.

 

RELATED READING: 7 Essential Resources on PCI DSS Security

While this checklist is a great place to start, make sure you review the official PCI DSS document library for the full summary of the changes in 3.2.

Are Your Data Transfers PCI Compliant?

GoAnywhere MFT can help you test over 60 security settings in your GoAnywhere environment with the PCI DSS Security Settings Audit Report. This report outputs a PDF that shows you how each area of the solution performed against PCI DSS 3.2.

There are five possible outcomes for each setting tested.

  • Pass: The setting meets the PCI DSS requirement.
  • Fail: The setting does not meet the PCI DSS requirement.
  • Warning: You should look into this issue further to determine if you are compliant.
  • Not Applicable: A check on this setting is not required.
  • Fatal: A configuration problem is preventing GoAnywhere from accessing the appropriate data.

In addition to determining status outcomes, the report will give you recommended actions on how to remedy failed/warning areas and list which section of PCI DSS each security check applies to.

See the report in action.

We’d love to walk you through our PCI reporting. To learn how GoAnywhere can help you meet PCI DSS 3.2 requirements for file transfer encryption, role-based security, and auditing, simply request a demo and mention the PCI DSS Security Settings Audit Report in the comment box.

Request a Demo

 

 

Add a Comment

Allowed tags: <b><i><br>

Latest Posts


What Do Industry Professionals Think of Cloud Security? Get the 2018 Guide

June 18, 2018

Whether you’re considering a public cloud deployment or already exist in some form of hybrid environment, you’re probably trying to keep a pulse on the ever-evolving topic of cloud…


Introducing GoAnywhere MFT 5.7: New Cloud Integrations and Other Features

June 15, 2018

The latest version of our secure managed file transfer solution is live! Today GoAnywhere MFT 5.7 released with a variety of new features and updates, including brand-new Cloud Connectors,…


20 Managed File Transfer Project Ideas (Plus Survey Results)

June 6, 2018

Earlier this year, HelpSystems surveyed nearly 200 GoAnywhere MFT users to see how they use managed file transfer software in their organizations. The responses we received from our customers were…


Tradeshow Recap: Exploring Cloud File Transfer at Red Hat Summit 2018

May 21, 2018

Last week marked the first year for GoAnywhere as an exhibitor at Red Hat Summit in San Francisco. The three-day conference was a whirlwind of activity, great conversations, and opportunities to…


3 Reasons to Attend VMUG's June 7 Virtual Event

May 17, 2018

Whether you’re already using VMware to manage multiple virtual machines in one console, or you’re just getting started with datacenter virtualization, staying on top of trends, changes,…