4 min read
If you are a merchant or service provider, then you may know about the changes coming for Payment Card Industry Data Security Standard (PCI DSS) in Version 3.2.
The Council periodically reviews and updates PCI DSS to ensure it continues to protect against old threats and new emerging threats.
The first portion of the changes are officially in effect, and the second portion come into effect later this year.
As the payment card industry rapidly expanded, the Payment Card Industry Security Standard Council (PCI SSC) developed a set of requirements called the PCI DSS. These specifications ensure that all companies that process, store, or transmit credit card information maintain a secure environment.
PCI DSS applies to all organizations or merchants that accept, transmit, or store cardholder data, regardless of size or number of transactions.
Restaurants, retailers, hotels, doctors' and lawyers' offices, and much, much more, all need to watch for PCI DSS updates to remain compliant.
By not upgrading to more secure protocols, you put your business at serious risk for a security breach. The following requirements just went into effect on February 1, 2018, for merchants and service providers:
Change management implementation and documentation; all relevant PCI DSS requirements must be implemented on all new or changed systems and networks. This change is to address organizations who are not following the change portions of these requirements.
Implement multi-factor authentication for any admin access to the cardholder data environment (CDE). This change is going into effect to minimize the number of breaches that have occurred due to phishing attacks of administrators.
Maintain documentation of the cryptographic architecture. This is to curtail service providers from offering end-to-end encryption solutions that do not meet the Council's P2PE standards.Requirement 10.8
Implement detection and reporting of critical security controls when they fail. Service providers will now have to provide proof that there is an alert when critical systems fail.
Respond and document failures of any critical security controls in a timely fashion. In addition to implementing alerting, service providers will also have to prove that they responded to the alert in a timely fashion.
Implementation of six-month penetration testing of segmentation controls. The Council is requiring that penetration testing occur every six months or if changes are made that affect segmentation controls.
Assign responsibility for the cardholder data, PCI DSS compliance, create a PCI DSS charter, and communication plan to management.
Quarterly management review of policy and process compliance with personnel.
Maintain documentation of the six-month management review to remain in compliance with 12.11.a.
The remainder of the changes to the standards will be enforced beginning July 1, 2018. Merchants and service providers must discontinue support for the Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) cryptographic protocols on or before June 30, 2018 to remain compliant. Although the protocols once provided the basis of secure network communications, they have been compromised and are no longer considered secure.
The PCI Security Standards Council website stresses the dangers that SSL and early TLS pose to merchants and providers:
Begin the process of migrating to safe protocols.
While in that process, it is suggested to migrate to a minimum of TLS 1.1, or better yet, TLS 1.2, then patch TLS software and configure TLS securely.
We've been helping merchants with PCI compliance since its inception by providing affordable managed network security solutions that make compliance easy and efficient.
Your focus should remain on running your business, not worrying about the status of your compliance.
For more information on PCI Compliance, visit our compliance support resource.
5 min read