Filter by Category

15 Days to PCI DSS 3.2: Preparing Your Organization for Compliance

pci dss 3.2 readiness checklist

There are two weeks left until February 1, 2018, the date PCI DSS 3.2 becomes enforceable.

In these final weeks, you may be wondering if you’ve checked all the boxes for 3.2 compliance. If you haven’t, is there enough time to prepare? What’s the risk of leaving it up to chance? Preparing to comply may seem labor-intensive, but if your organization fails a PCI DSS audit, you could face hefty fines.

RELATED WHITE PAPER: What’s New in PCI Data Security Standard 3.2

We understand these concerns, and we’re here to help. If you’re looking down the barrel of February’s deadline, get started with this PCI DSS 3. readiness checklist to identify where you’re on track and what still needs to be done.

14-Day Readiness Checklist for Compliance Changes

PCI DSS Goal

Details

Review the contents of PCI DSS 3.2

It’s never a bad idea to refresh your PCI knowledge. You can find all the requirements and details here.

Identify which changes in version 3.2 apply to you

Some of the changes in PCI DSS 3.2 affect everyone, while others only affect service providers. Use this article to determine which requirements apply to you.

Update your card data flow diagram

PCI DSS requirement 1.1.3 obligates organizations to diagram and maintain their card data flows. We recommend updating your flows to ensure all cardholder data is properly accounted for.

Enforce multi-factor authentication (MFA) for all non-console admin access

PCI DSS requirement 8.3 has made MFA mandatory for non-console admin access to cardholder environments. Now is a good time to update any processes that may hinder this transition to MFA.

Record any employees who have access to unmasked Primary Account Numbers 

Only the first six/last four digits of a PAN are allowed to be displayed. The rest must be masked. Those who can see more than these digits must be documented and given a legitimate business need for their access.

Create a policy for setting up security controls in your Cardholder Environments (CDEs)

New in PCI DSS 3.2, any changes made to a CDE must be immediately followed with proper security controls. PCI DSS requirements impacted by CDE changes must then be re-verified to ensure continued compliance with all standards.

Encrypt your data in transit and at rest

PCI data should always be encrypted when in transit and at rest. Use a secure file transfer solution to ensure your data is always protectedno matter where it’s stored.

Ensure cardholder data is sent using secure communication methods

If cardholder data must be sent from one device to another, make sure it’s transferred through protected shared folders, secure mail, or encrypted collaboration, not regular email or text.

Apply firewalls to all portable devices that access the Internet and your CDE

PCI DSS requirement 1.4 requires employee devices that access the Internet and your environment to have frequently-monitored firewalls. You might check to ensure your data is kept out of the DMZ as well. A file transfer solution can help with this.

Review your users’ permissions and restrict access where needed

Requirement 7.1.2 looks for organizations to create an employee-wide, “least-privilege” policy. This ensures that only users with an actual business need can access sensitive cardholder information.

Perform quarterly reviews with your security personnel

If you’re a service provider, the newest version of PCI DSS requires you to perform quarterly reviews with your personnel. This ensures that security practices are being followed and risks are being mitigated.

Educate your team on any updates to your processes

Once you have everything in place for PCI DSS compliance, start a conversation with your team to ensure they understand how PCI DSS 3.2 affects their daily routine. Talking points might include the move to MFA and any further masking of your PANs.

Plan your migration from SSL and early TLS migration to TLS 1.1 or TLS 1.2

SSL and early TLS migration isn’t enforceable until July 1, 2018, but that doesn’t mean you can’t start the process now. Learn more about this requirement on the PCI Security Standards Council website.

 

RELATED READING: 7 Essential Resources on PCI DSS Security

While this checklist is a great place to start, make sure you review the official PCI DSS document library for the full summary of the changes in 3.2.

Are Your Data Transfers PCI Compliant?

GoAnywhere MFT can help you test over 60 security settings in your GoAnywhere environment with the PCI DSS Security Settings Audit Report. This report outputs a PDF that shows you how each area of the solution performed against PCI DSS 3.2.

There are five possible outcomes for each setting tested.

  • Pass: The setting meets the PCI DSS requirement.
  • Fail: The setting does not meet the PCI DSS requirement.
  • Warning: You should look into this issue further to determine if you are compliant.
  • Not Applicable: A check on this setting is not required.
  • Fatal: A configuration problem is preventing GoAnywhere from accessing the appropriate data.

In addition to determining status outcomes, the report will give you recommended actions on how to remedy failed/warning areas and list which section of PCI DSS each security check applies to.

See the report in action.

We’d love to walk you through our PCI reporting. To learn how GoAnywhere can help you meet PCI DSS 3.2 requirements for file transfer encryption, role-based security, and auditing, simply request a demo and mention the PCI DSS Security Settings Audit Report in the comment box.

Request a Demo

 

 

Add a Comment

Allowed tags: <b><i><br>

Latest Posts


Tradeshow Recap: VMware 20th Anniversary, Secure File Transfers, and More at VMworld 2018

September 10, 2018

Dazzling booth displays and nerdy Star Wars swag. Informative training sessions. Demos for modern software and hardware. Drones. In-depth industry conversations. Coffee decorated with techy latte…


Are These Users on Your Organization's Security Watch List?

August 31, 2018

Does this story sound familiar? See if you share these trials in your own organization, then request the ebook to learn how to prevent six internal users from putting your network at…


Introducing GoAnywhere MFT for AWS and Azure Cloud File Transfers

August 21, 2018

Are you looking for a solution that automates the movement of files between your on-premises and cloud environments? As cloud computing platforms become more commonplace, organizations are starting…


Getting the Most Out of Your GoAnywhere MFT Trial

August 14, 2018

We know it’s crucial to get a solution up and running quickly during your evaluation period. You want to know if it works, what the benefits are, and how it will impact or improve your business…


Six Signs Your Organization Needs MFT Software

August 7, 2018

As organizations increase the amount of data they transfer between users, employees, and trading partners; cybersecurity and IT teams race to keep up. One wrong move, like the lack of file…