Filter by Category

15 Days to PCI DSS 3.2: Preparing Your Organization for Compliance

pci dss 3.2 readiness checklist

There are two weeks left until February 1, 2018, the date PCI DSS 3.2 becomes enforceable.

In these final weeks, you may be wondering if you’ve checked all the boxes for 3.2 compliance. If you haven’t, is there enough time to prepare? What’s the risk of leaving it up to chance? Preparing to comply may seem labor-intensive, but if your organization fails a PCI DSS audit, you could face hefty fines.

RELATED WHITE PAPER: What’s New in PCI Data Security Standard 3.2

We understand these concerns, and we’re here to help. If you’re looking down the barrel of February’s deadline, get started with this PCI DSS 3. readiness checklist to identify where you’re on track and what still needs to be done.

14-Day Readiness Checklist for Compliance Changes

PCI DSS Goal

Details

Review the contents of PCI DSS 3.2

It’s never a bad idea to refresh your PCI knowledge. You can find all the requirements and details here.

Identify which changes in version 3.2 apply to you

Some of the changes in PCI DSS 3.2 affect everyone, while others only affect service providers. Use this article to determine which requirements apply to you.

Update your card data flow diagram

PCI DSS requirement 1.1.3 obligates organizations to diagram and maintain their card data flows. We recommend updating your flows to ensure all cardholder data is properly accounted for.

Enforce multi-factor authentication (MFA) for all non-console admin access

PCI DSS requirement 8.3 has made MFA mandatory for non-console admin access to cardholder environments. Now is a good time to update any processes that may hinder this transition to MFA.

Record any employees who have access to unmasked Primary Account Numbers 

Only the first six/last four digits of a PAN are allowed to be displayed. The rest must be masked. Those who can see more than these digits must be documented and given a legitimate business need for their access.

Create a policy for setting up security controls in your Cardholder Environments (CDEs)

New in PCI DSS 3.2, any changes made to a CDE must be immediately followed with proper security controls. PCI DSS requirements impacted by CDE changes must then be re-verified to ensure continued compliance with all standards.

Encrypt your data in transit and at rest

PCI data should always be encrypted when in transit and at rest. Use a secure file transfer solution to ensure your data is always protectedno matter where it’s stored.

Ensure cardholder data is sent using secure communication methods

If cardholder data must be sent from one device to another, make sure it’s transferred through protected shared folders, secure mail, or encrypted collaboration, not regular email or text.

Apply firewalls to all portable devices that access the Internet and your CDE

PCI DSS requirement 1.4 requires employee devices that access the Internet and your environment to have frequently-monitored firewalls. You might check to ensure your data is kept out of the DMZ as well. A file transfer solution can help with this.

Review your users’ permissions and restrict access where needed

Requirement 7.1.2 looks for organizations to create an employee-wide, “least-privilege” policy. This ensures that only users with an actual business need can access sensitive cardholder information.

Perform quarterly reviews with your security personnel

If you’re a service provider, the newest version of PCI DSS requires you to perform quarterly reviews with your personnel. This ensures that security practices are being followed and risks are being mitigated.

Educate your team on any updates to your processes

Once you have everything in place for PCI DSS compliance, start a conversation with your team to ensure they understand how PCI DSS 3.2 affects their daily routine. Talking points might include the move to MFA and any further masking of your PANs.

Plan your migration from SSL and early TLS migration to TLS 1.1 or TLS 1.2

SSL and early TLS migration isn’t enforceable until July 1, 2018, but that doesn’t mean you can’t start the process now. Learn more about this requirement on the PCI Security Standards Council website.

 

RELATED READING: 7 Essential Resources on PCI DSS Security

While this checklist is a great place to start, make sure you review the official PCI DSS document library for the full summary of the changes in 3.2.

Are Your Data Transfers PCI Compliant?

GoAnywhere MFT can help you test over 60 security settings in your GoAnywhere environment with the PCI DSS Security Settings Audit Report. This report outputs a PDF that shows you how each area of the solution performed against PCI DSS 3.2.

There are five possible outcomes for each setting tested.

  • Pass: The setting meets the PCI DSS requirement.
  • Fail: The setting does not meet the PCI DSS requirement.
  • Warning: You should look into this issue further to determine if you are compliant.
  • Not Applicable: A check on this setting is not required.
  • Fatal: A configuration problem is preventing GoAnywhere from accessing the appropriate data.

In addition to determining status outcomes, the report will give you recommended actions on how to remedy failed/warning areas and list which section of PCI DSS each security check applies to.

See the report in action.

We’d love to walk you through our PCI reporting. To learn how GoAnywhere can help you meet PCI DSS 3.2 requirements for file transfer encryption, role-based security, and auditing, simply request a demo and mention the PCI DSS Security Settings Audit Report in the comment box.

Request a Demo

 

 

Add a Comment

Allowed tags: <b><i><br>

Latest Posts


3 Ways Your Peers are Using Secure Forms

April 5, 2018

If you exchange any amount of sensitive information as paper documents, electronic PDFs, images, or spreadsheets, you know keeping track of data and ensuring it gets where it needs to go can be a…


Discover Managed File Transfer at RSA Conference 2018

March 26, 2018

Are you thinking about heading to the 2018 RSA Conference in San Francisco? GoAnywhere MFT will be exhibiting and sharing information about our secure managed file transfer solution, in addition to…


On-Premises and the Cloud: A Comparison of Two Unique Environments

March 20, 2018

On-premises. The cloud. Hybrid environments. As technology evolves and business needs grow, organizations are rapidly trying to make sense of their options. What are the benefits of running their…


The Ultimate Guide to Investing in Secure File Transfer Software

March 13, 2018

It comes as no surprise—file transfers are a critical part of each organization’s operations. They can share anywhere from dozens to hundreds of thousands of documents with trading…


What You Need to Know to Prepare for GDPR Compliance

March 6, 2018

Now that we’ve crossed into 2018, the GDPR is only months away. Less than three months, in fact—the new EU General Data Protection Regulation becomes enforceable worldwide for any…