6 PCI DSS Best Practices to Become Requirements in 2018
Version 3.2 of the PCI DSS requirements was published in 2016, but several items are considered best practices until January 31, 2018. On February 1, 2018, they become requirements. One is for everyone meeting PCI DSS requirements, while the rest are for service providers.
Following are the best practices that become requirements on February 1, 2018.
Requirement 6.4.6 is for everyone meeting PCI DSS requirements. Whenever you implement a significant change to your system/network, verify that all appropriate PCI DSS controls are applied where needed, and update your documentation to reflect the change.
Requirements for Service Providers
- Document your cryptographic architecture (Requirement 3.5.1).
- Have a process to detect and report failures of critical security control systems. See PCI DSS Requirements 10.8 and 10.8.1 for examples of failures and what processes must include to respond to security control failures in a timely manner.
- If segmentation is used to isolate the CDE from other networks, perform penetration testing on segmentation controls/methods at least every six months and after any changes to them (Requirement 220.127.116.11).
- Executive Management must assign responsibilities and define a charter to maintain PCI DSS compliance. PCI DSS Requirement 12.4.1 provides details about what the compliance program must include, and who is considered “executive management.”
- Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures, and document the results of those reviews (Requirements 12.11, 12.11.1).
Please refer to PCI DSS for your responsibilities under these requirements. If you have specific questions relating to your responsibilities for PCI DSS compliance, please direct them to your Qualified Security Assessor (QSA).