This requirement, called 11.3, says that companies should implement a methodology for penetration testing that is based on industry-accepted approaches, covering the entire perimeter and critical systems of the cardholder data environment, including testing from both inside and outside the network covering both network-layer and application-layer vulnerabilities, and taking into consideration the threats and vulnerabilities that appeared in the past 12 months.
Hall said he understands that some merchants need time to put these processes in place. However, companies should be vigilant and start implementing these requirements now, despite the grace period, he said. "They should not give attackers time to become even more sophisticated."
PCI DSS barely scratches the surface and is meant to provide a bare minimum of security controls, Hall said. PCI compliance should be used as leverage to obtain a larger security budget, but shouldn't become a company's sole security strategy, he said.
"There will obviously be some companies that will only do what's required under PCI DSS, and I say, shame on them," he said.
"Whatever your opinion, the new PCI DSS 3.0 appears to be moving from a security check box posture to a more holistic risk management approach," said Bernard Zelmans, general manager for EMEA at security management firm FireMon, via email. "This will hopefully entail a more security centric approach to PCI compliance rather than the least common denominator approach of earlier versions of PCI."
Michael Aminzade, director of delivery for EMEA & APAC at security firm Trustwave, believes that overall the council made some excellent improvements to PCI DSS, but that the standard is still lacking in some areas.
"PCI DSS 3.0 does not include any changes surrounding mobile security," he said via email. "Merchants are struggling with how to protect mobile payment solutions and integrating mobile devices into their organizations. The Council released a best practices guide for mobile security more than a year ago, but it would be more beneficial to release additional guidance pertaining to mobile data security."
Sign up for CIO Asia eNewsletters.