SureCloud, a supplier of Cloud-based IT Governance, Risk and Compliance (GRC) solutions, today announced it has added new features and functionality to its cloud-based GRC platform in readiness for the new PCI DSS 3.0 compliance standard.
PCI DSS is the recognised compliance standard governing how credit card data is handled and version 3.0, published on 7 November, tightens up a number of areas that have been responsible for some merchants misinterpreting or potentially manipulating the standard's real intention.
With cardholder data still remaining a top target for criminals, the new guidelines provide more clarity for merchants, tighten up areas such as vulnerability management, and are designed to help merchants more easily incorporate PCI DSS into their business-as-usual practices. There are also stricter criteria for assessors governing how the requirements should be tested and validated. In addition, more clarity is given for the handling of third party service providers (frequently singled out as the weakest link in the chain) around individual responsibilities and accountability when handling credit card data. Finally there are new measures to clarify the scope of PCI DSS with a more prescriptive control-based approach that sets out the parameters and requirements needed to achieve compliance.
To help merchants migrate easily from version 2.0 to version 3.0, the SureCloud platform has built-in assistance that automates the process in four key areas:
- Asset inventory - SureCloud contains all the necessary documentation stipulated by the new standard to maintain an inventory of system components that fall within the scope of PCI.
- 3rd party assurance - the Software-as-a-Service (SaaS) platform provides merchants with a clear way of tracking progress of compliance when running and managing their third party assurance programmes. It has built-in workflow that automates task allocation and provides visibility of programme status in real time. The reporting functionality delivers the ability to quickly determine gaps in the PCI Compliance programme and create reports that satisfy the needs of internal and external stakeholders such as an acquiring bank.
- Penetration test management - this new requirement requires that merchants implement a penetration test methodology that must specify the retention of penetration test results and remediation activities. The SureCloud GRC Platform has in-built penetration test management allowing merchants to define penetration testing methodologies, load penetration test results and manage all remediation activity. This also provides a central view of all vulnerabilities as it is tightly integrated with SureCloud's ASV Scanning and Internal Network Scanning capabilities.
- Future-proofing for new versions of the PCI DSS - SureCloud's "Control-Centric" approach not only supports business-as-usual activities, but also allows Controls to be automatically mapped and migrated to future versions of the PCI DSS (or any other security compliance initiative).
"SureCloud's GRC platform directly addresses the key highlighted requirements behind the latest version of the PCI DSS standard, effectively helping organisations to future-proof their compliance programmes," said Richard Hibbert, CEO of SureCloud. "The platform itself gives users access to a central management system to run a PCI DSS standards-based programme from the start through to reaching compliance and onto maintaining it as a business-as-usual function thereby maximising the investment in the measures they take to meet their regulatory obligations."