Big Changes Coming To PCI DSS! Are You Ready?

The Payment Card Industry Data Security Standard (PCI DSS) is the most rigorous, industry-recognized payment-card security standard available globally. PCI DSS is a regulatory requirement for merchants and service providers that store, process or transmit customer payment card data. In a previous blog post, we talked about Dome9 achieving PCI DSS certification for its cloud compliance automation platform. We also covered why this should matter for organizations looking for vendors to support their PCI DSS compliance journey in the public cloud.

The Dome9 Arc SaaS platform offers powerful security and compliance automation that provides:

– Protection from from non-compliance penalties

– Powerful visualization of cloud assets

– Comprehensive compliance management across public clouds

– Continuous monitoring and automation reversion of unauthorized modifications

PCI DSS – What happens on June 30, 2018?  

In order to meet the Payment Card Industry Data Security Standard (PCI DSS), organizations need to migrate from using SSL or early TLS as a security control to using a more secure encryption protocol (TLS 1.1 or higher, TLS v1.2 is strongly encouraged) by June 30th, 2018.

As of PCI DSS v3.1, SSL and early TLS are no longer examples of strong cryptography or secure protocols. Here is PCI Council guidance information and a blog post on the same topic:

Migrating from SSL and Early TLS

Are You Ready for 30 June 2018? Saying Goodbye to SSL/early TLS

The PCI DSS requirements directly affected are:

– Requirement 2.2.3  – Implement additional security features for any required services, protocols, or daemons that are considered to be insecure.

– Requirement 2.3 –  Encrypt all non-console administrative access using strong cryptography.

– Requirement 4.1  – use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks. SSL and early TLS should not be used as security controls.

Dome9 for easy PCI Reporting and Compliance

Dome9 helps you produce PCI compliance reports, directly from its Compliance Engine. Dome9 can help with several sections of the PCI DSS regulation for your cloud workloads. With a single click, you can produce simple PCI reports for your cloud environment, that can fulfill needs of key stakeholders including –  security, IT professionals and auditors. If you want to know more about how Dome9 can help you achieve PCI compliance in 4 easy steps, click here.

With Dome9 you can easily identify all the SSL and early TLS protocols!

With a click of a button, Dome9 provides you with a list of relevant assets, as well as clear and specific instructions regarding remediation steps:

PCI DSS 3.2 Compliance with Dome9

1. Visibility into all of your Cloud Assets

– The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment.

– A company needs to clearly define the scope of all the System components in scope for  PCI DSS certification.

– Dome9 provides you the visibility into cloud assets in order to comply with PCI since you cannot protect information that is not on your radar

2. Compliance Engine

Real-time view of compliance and security  posture for immediate risk mitigation

3. Governance Specification Language (GSL)

GSL allows Compliance and Security team to write and review any compliance check in seconds without deep technical knowledge – This equates to fewer errors in translating IT governance requirements to policy definitions.

4. Continuous Compliance

Continuous Compliance allows Dome9 clients to continuously run a compliance assessment according to various compliance suites and deliver findings through the most convenient method such as emal, SNS notification message or PDF report.

Here’s a summary of PCI requirements and what Dome9 specifically offers:

Need more information?

We recently published some more information on PCI Compliance in the Cloud

On-Demand Webinar – What’s the Cost of Non-PCI Compliance in the Cloud?