The 2018 PCI Guide is here. Learn what’s in it and how it will simplify your PCI process. 

We’ve officially launched our 2018 Guide to Payment Card Industry Data Security Standard (PCI DSS) Compliance. Inside you’ll find fresh insights, tips from auditors, forensic investigation data, interactive checklists, and a new prioritized chart to guide your reading.

You can download the 2018 SecurityMetrics Guide to PCI Compliance here.

Here’s a list of 5 of the best features from our 2018 Guide to PCI DSS Compliance:

1. A prioritized approach to PCI compliance

If you’re working towards payment card industry compliance this year, you'll want to check out our newly added section that begins on page 5, titled “How to Read This Guide.” We’ve added a chart to guide you through the requirements of the PCI DSS.

The chart gives an overview of the PCI Security Standards Council’s Prioritized Approach. The PCI SSC's Prioritized Approach consists of six milestones based on high-level compliance and security goals. Our chart breaks down requirements into individual IT tasks and assigns them to their related milestone(s).

This chart is especially useful for PCI compliance officers, CISOs, IT managers—anyone whose job requires that they plan, organize, or present on internal PCI compliance efforts. The Prioritized Approach offers organizations a risk-based roadmap to address issues on a priority basis, while also supporting organizational financial and operational planning.

Depending on where you are in your compliance journey, some milestones may be more significant to you than others. Rather than reading our guide cover to cover, we recommend you use this chart to guide your PCI compliance efforts.

2. Forensic data from our 2017 investigations

We believe knowledge is power, which is why we share data from our 2017 forensic data breach investigations on pages 11-13. By learning which PCI requirements were most commonly/not commonly implemented at the time of a data breach, which non-compliant requirements directly contributed to data breaches, as well as the top SAQ failures, you can appreciate the bigger picture of what PCI compliance means for organizations.

Understanding the patterns that typically go along with data breaches empowers you to make informed decisions about allocating your PCI compliance resources.

WEBINAR: Lessons Learned from 2017 Forensics Investigations

We found that 2017 showed significant decreases in compliance levels when compared to previous years and that none of the investigated breached merchants in 2017 were found to be compliant with PCI DSS. And in nearly every case, the vulnerabilities that attackers leveraged to gain access to merchant systems would have been mitigated if the organization had been compliant with the entire PCI DSS.

3. Interactive IT Checklists 

PCI compliance comes down to the successful completion of a series of tasks. At the end of each requirement section, we include checklists as a way to help IT teams track and manage these action items.

The IT checklists have been one of the most popular and utilized features of our guides. This year, they are “interactive,” meaning you can actually check off tasks within the PDF document. You can also type directly in the assignment and completion fields.

We added the checklists specifically to give you more options to manage and document your organization’s compliance-related IT tasks. The intent is to simplify compliance for everyone: those who determine the tasks, those who assign the tasks, and those who ultimately perform the tasks. This doesn’t replace our PCI audit management tool, but should enhance the overall process of getting compliant.

Interactive IT checklists are found on the following pages: 40, 44, 48, 51, 53, 58, 60, 64, 69, 73, 81, and 86.

INFOGRAPHIC: How to Discover and Encrypt Sensitive Data

4. Tips from auditors 

Our “Tips from Auditors” sections throughout the document give context to the bigger picture of PCI compliance as well as actionable tips from our QSAs, who have years of IT security and audit experience.

We include auditor commentary and best practices for each PCI DSS requirement, as well as in other sections of the guide. If you are looking for an overview of what’s important for data security in the payment card industry, these sections would be a perfect place to start.

“Tips from an Auditor” sections can be found on the following pages: 17, 39, 43, 47, 50, 52, 56, 59, 63, 68, 72, 80, 85, and 106.

5. PCI Data Security Standard updates

Our PCI guide is written in accordance with the latest version of the PCI DSS, and outlines the supplemental guidance released by the Security Standards Council. Pages 24-30 outline and describe recent important changes and supplements to the PCI DSS, including:

PCI Data Security Standard version 3.2

New service provider requirements

Updated SSL/early TLS migration dates

February 2017 Multi-factor authentication supplement 

Multi-factor authentication in or out of the CDE (8.3)

Clarifying masking criteria (3.3)

Change management process (6.4.6)

Service provider written agreement (12.8.2)

SEE ALSO: PCI DSS 3.2 Reminder to Comply

A powerful PCI help

Whether you are brand new to PCI compliance or are a seasoned systems administrator, you will find that the 2018 SecurityMetrics Guide to PCI DSS Compliance is a dynamic, hard-working document. We designed it to be a useful tool in the hands of anyone who wants to achieve compliance with the PCI DSS.

You can download the 2018 SecurityMetrics Guide to PCI Compliance here. 

We’d love to hear what you think—do new features like the interactive checklists or “Prioritized Approach” reading guide chart help your compliance managers and IT teams? Are there features of the guide you use more than others? Or are there things you’d like to see included in the next edition?

Email with your feedback about the guide.

If you’re interested in a PCI audit or our data security services, contact us here.