Updates to PCI Requirements

Changes to the Payment Card Industry (PCI) Data Security Standards (DSS) include a new emphasis on education, awareness, and an approach to security as a shared responsibility. The changes aim to drive implementation of security best practices while providing flexibility for the business needs of an organization. Of particular interest to network administrators, new or updated items require organizations to:

  • Have a current diagram that shows cardholder data flows.
  • Evaluate evolving malware threats for systems not commonly affected by malware.
  • Protect POS terminals and devices from tampering or substitution.
  • Maintain an inventory of system components in scope for PCI DSS.

These are just a few of the changes in the 3.0 standards. View highlights of version 3.0 changes in this PCI Security Standards Council document (a table of updated requirements begins on page 5). The complete PCI DSS 3.0 document is available here.



Organizations should keep the PCI 3.0 timelines in mind and consider these as they prepare to undergo the audit process. While the changes in version 3.0 were first proposed in 2013, and the updated 3.0 standards came into effect on 1 January 2014, version 2.0 remains active until the end of 2014. Until July 1, 2015, some of these new requirements are considered best practices only, giving organizations time and flexibility to adapt to the changes.


Meraki PCI Certification

For the fourth consecutive year, the Cisco Meraki cloud architecture and product portfolio are PCI level 1 certified (the highest level of certification). Past articles on the Meraki blog highlight the secure nature of the Meraki out–of–band architecture and more information about the architecture, security, and compliance can be found on the Trust section of the Meraki website.