PCI-DSS Compliance 3.2 Updates

Whether you swipe it, chip it, tap it, or phone it in, if you are involved in capturing payments from a credit card, you are most likely required to comply with Payment Card Industry Data Security Standard (PCI-DSS) requirements. PCI-DSS compliance is ultimately about securing card based payment information to protect the sanctity of each transaction.

PCI-DSS 3.2 is Live

PCI-DSS is in a transitional phase in which version 3.1 is the accepted standard, with all participants moving to the 3.2 standards by January 2018. Although 3.2 is only a minor number change, there are numerous differences between the new version of PCI-DSS and the old one:

  • New control number mappings: From an audit perspective, this means you have to “rename” many things to make sure you are meeting the currently defined controls.
  • New data regulations: Additional technical data regulations include stricter change control, improved data sampling, penetration testing, multi-factor authentication, and more.
  • Changes to SSL/TLS: PCI 3.2-DSS will require that all network data transfers use SSL and TLS 1.2, at minimum.

LogRhythm’s PCI-DSS 3.2 Module

From LogRhythm’s perspective, the change from the old standard to 3.2 required creating a new compliance automation module to avoid confusion with the new control mappings. LogRhythm’s recently released PCI-DSS Compliance Automation Module is one of our largest compliance modules ever. It contains:

  • 72 AI Engine rules and alarms
  • 29 lists for defining “in-scope” content
  • 89 pre-defined investigations for evaluating controls
  • 98 summary reports to assist with regular oversight
  • 95 detailed reports to assist with specific audits
  • 6 defined reporting packages

In addition, as we built the PCI-DSS 3.2 Compliance Automation Module, we have added new rules, improved existing rule performance, and generally increased the coverage and capability of LogRhythm to support your PCI-DSS compliance initiative.

Using the Module

New to PCI-DSS?

If you are new to using LogRhythm as part of your PCI-DSS compliance initiative, start with the user guide located on the Community. The guide contains provides you with the complete details about the compliance controls that the LogRhythm platform can fully or partially support. You may also consider leveraging our Compliance Co-Pilot service. Our professional services team will help you understand the LogRhythm capabilities and how they should be deployed and configured.

Upgrading from the Existing Version of PCI-DSS?

If you are already using the LogRhythm PCI-DSS Compliance Automation Module, you should consider upgrading now. Remember, PCI-DSS 3.2 is a separate module. The upgrade is not a straight one-for-one replacement. In fact, you can run both modules in parallel during the transition process.

Upgrading to the PCI-DSS 3.2 Compliance Automation Module will involve the following:

  • Review the PCI-DSS user guide. The guide contains detailed descriptions of all the content and mappings to the previous content.
  • Review your current lists and rules for your existing PCI-DSS module.
  • Update the lists and set up new list structures for PCI-DSS 3.2.
  • Take note of the new approach for listing in-scope entities and log sources.
  • Enable the PCI-DSS 3.2 rules and reports—optionally running them in parallel with your existing PCI-DSS module content.
  • Eventually disable and retire your PCI-DSS 3.1 module content.

Why PCI-DSS Compliance?

PCI-DSS compliance is serious business. Every month we hear about major loss of credit card information. Even the best PCI-DSS compliance cannot prevent all breaches. However, having even the basic defense posture required to support PCI-DSS can help your company stay out of the headlines and avoid significant fines (up to $500,000 per offense, plus $50–$90 per lost card!), loss of revenue (up to being banned from taking credit card payments!), and loss of consumer confidence and reputation.

Contributors include Rob McGovern, Bob Swanson, and Nathan Riley.