Alert icon Keyboard navigation enabled.
Alert icon TAB or Shift+TAB to navigate across. Down ↓ to open menu. ESC to close menu.
Alert icon Down ↓ to select section. Right → to activate. Up ↑ / Down ↓ / Tab to traverse all. ESC to exit.
BeyondTrust
Skip to content Use space or enter to skip.

What can we help you find today?

Instant Results
  • Website Results
  • Technical Documentation

Filter Options

Focus your search

Filtering by

Your recent searches:

Contact Us Chat with Sales Get Support
  • English
  • Deutsch
  • français
  • español
  • 한국어
  • português
  • Home
  • Resources
  • Blog
  • What’s new in PCI 3.0? current page
Link copied

What’s new in PCI 3.0?

Oct 20, 2017
Author:
Andrew Avanessian
Blog banner default
What’s new in PCI 3.0?
Andrew Avanessian

Following the launch of PCI DSS 3.0 in January, I’ve been faced with questions from many businesses about changes they should implement within the next year to remain or become compliant with the updated mandate.

In a recent 30 minute webinar, I highlighted 7 simple steps to achieving compliance, which have been featured recently by Windows security expert and author Russell Smith.

It’s important to state that the steps outlined below are relevant to any security policy, and improving overall IT security should be the primary goal when conducting any compliance review.

1. Maintain an IT Policy

This is the most logical starting point but I continue to be surprised at how many IT departments don’t start with a clear IT security strategy. Too often it can come as an afterthought, once new projects or systems have been implemented.

PCI 3.0 reinforces the importance of a clear and well-maintained policy documentation including rules on strong passwords, protecting credentials and changing passwords on suspicion of compromise.

2. Maintain Secure Systems

Admin access to all systems must be controlled to ensure they remain free from internal and external security threats. I can’t stress enough how important it is to have a solution in place for managing privileged access at an individual level. I’ve spoken to so many businesses that still have generic admin accounts or shared passwords.

3. Protect Data

Deploying up to date antivirus and firewalls is a great start to stop infection getting in, but best practice is to remove admin rights and implement application allow listing to ensure that only approved software, tasks and scripts can be run by users on the inside.

In fact, 51% of organizations believe a cyber-attacker is currently in their corporate network or has been in the past year (CyberArk 2013).

Recent data breaches experienced by the US retailer Target and in South Korea have highlighted once again the huge threat caused by malware and the insider. With admin privileges, your users effectively have the key to the back door and could walk out with your most precious data.

4. Defend Against Threats and Vulnerabilities

The rules of antivirus deployment in 3.0 have changed. As well as being fully operational, any software must be configured so that users cannot disable or uninstall it. Did you know that advanced malware, or admin users, could have access to disable antivirus policies, even with their inbuilt tampering features? It’s impossible for standard users to gain access to do this and another example of how unchecked admin rights can be so dangerous. This leads me nicely to point 5...

5. Controlling Privileges

PCI 3.0 states that user privileges must be restricted to those who require them to perform their job role. In order to remove admin rights from users, most businesses will need more granular control over privileges than UAC in Windows environments can provide. I always recommend that any approach to changing user privileges should be meticulously planned, and fully communicated internally. Without a rich end-user experience, the whole security project is at risk.

6. Monitor Privilege Use

PCI 3.0 has a specific requirement to log activity of privileged users. This is about more than just session recording. Session recording is not a proactive approach to security. It’s effectively like filming someone robbing a bank - you can trace who committed the crime, but the money has still gone. Many CISOs still overlook the importance of removing admin privileges, which prevents access in the first place. Any security layer or session recording solution can be disabled if the user has administrator access, though admittedly, some are easier to disable than others!

7. Defense in Depth

A layered approach to security is crucial. The key is to combine multiple solutions such as antivirus, firewalls, patching, application allow listing and privilege management. Be aware of all your attack vectors and build your defense layers from the ground up. The “egg shell” approach to security, where the external perimeter is hard but the internal security is soft, just does not work.

In summary, compliance should never be an exercise of ticking the box; it should be about making your systems as secure as they can possibly be. If you follow these basic standards in IT security and maintain effective IT policies, you should achieve the relevant compliance AND protect your most valuable business assets.

For more information on this topic, download our whitepaper on achieving compliance.

Latest Posts
  • Joining Project Glasswing: Securing the Privilege Backbone of the AI Era
    Jun 8, 2026 Joining Project Glasswing: Securing the Privilege Backbone of the AI Era
    Blog
    5m
  • The Most Common & Most Dangerous Types of Shadow IT
    Jun 5, 2026 The Most Common & Most Dangerous Types of Shadow IT
    Blog
    19m
  • 14 Password Management Best Practices
    May 28, 2026 14 Password Management Best Practices
    Blog
    12m
  • A Security Researcher’s Guide to Understanding Copilot Studio AI Agents
    May 26, 2026 A Security Researcher’s Guide to Understanding Copilot Studio AI Agents
    Blog
    3m
  • How to Secure Cloud-Native Infrastructure at Scale and Speed: A Conversation with Madhu Adireddi
    May 21, 2026 How to Secure Cloud-Native Infrastructure at Scale and Speed: A Conversation with Madhu Adireddi
    Blog
    5m
Related
  • M&A Due Diligence: 5 Identity Risks that Could Sink Your Deal
    May 7, 2026 M&A Due Diligence: 5 Identity Risks that Could Sink Your Deal
    Blog
    6m
  • Growth, Expansion and TechEd Europe
    Oct 20, 2017 Growth, Expansion and TechEd Europe
    Blog
    1m
Share this Article
  • Link
Stay up to Date
Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

Keep up with BeyondTrust

Customer Support Get Started
  • LinkedIn
  • X
  • Facebook
  • Instagram
  • Add BeyondTrust as a preferred source on Google
  • Privacy
  • Security
  • Manage Cookies
  • Do Not Sell My Data
  • WEEE Compliance

Copyright © 2003 — 2026 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

Prefers reduced motion setting detected. Animations will now be reduced as a result.