A supplier of Cloud-based IT Governance, Risk and Compliance (GRC) software has added new features to its cloud-based GRC platform in readiness for the new PCI DSS 3.0 compliance standard, reports SureCloud
PCI DSS is the compliance standard for how credit card data is handled and version 3.0, published on November 7. The Cloud product firm adds that the new version tightens areas that have been responsible for some merchants misinterpreting or potentially manipulating the standard’s real intention.
With cardholder data still remaining a target for criminals, the new guidelines provide more clarity for merchants, tighten areas such as vulnerability management, and are designed to help merchants more easily incorporate PCI DSS into their business-as-usual practices.
There are also stricter criteria for assessors governing how the requirements should be tested and validated. More clarity is given for the handling of third party service providers (frequently singled out as the weakest link in the chain) around responsibilities and accountability when handling credit card data. And new measures clarify the scope of PCI DSS with a more prescriptive control-based approach that sets out the parameters and requirements needed to achieve compliance.
SureCloud says that its platform has built-in assistance that automates the process in four areas:
· Asset inventory – SureCloud contains all the necessary documentation stipulated by the new standard to maintain an inventory of system components that fall within the scope of PCI.
· third party assurance – the Software-as-a-Service (SaaS) platform provides merchants with a way of tracking progress of compliance when running and managing their third party assurance programmes. It has built-in workflow that automates task allocation and provides visibility of programme status in real time. The reporting functionality delivers the ability to determine gaps in the PCI Compliance programme and create reports that satisfy the needs of internal and external stakeholders such as an acquiring bank.
· Penetration test management – this new requirement requires that merchants implement a penetration test methodology that must specify the retention of penetration test results and remediation activities. The SureCloud GRC Platform has in-built penetration test management allowing merchants to define penetration testing methodologies, load penetration test results and manage all remediation activity. This also provides a central view of all vulnerabilities as it is tightly integrated with SureCloud’s ASV Scanning and Internal Network Scanning capabilities.
· Future-proofing for new versions of the PCI DSS – SureCloud’s “Control-Centric” approach not only supports business-as-usual activities, but also allows Controls to be automatically mapped and migrated to future versions of the PCI DSS (or any other security compliance initiative).
What they say
Richard Hibbert, CEO of SureCloud, said: “SureCloud’s GRC platform directly addresses the key highlighted requirements behind the latest version of the PCI DSS standard, effectively helping organisations to future-proof their compliance programmes. The platform itself gives users access to a central management system to run a PCI DSS standards-based programme from the start through to reaching compliance and onto maintaining it as a business-as-usual function thereby maximising the investment in the measures they take to meet their regulatory obligations.” Visit http://www.surecloud.com/
