Changes to PCI DSS and What It Means for You

February 20, 2018

If you are a merchant or service provider, then you may know about the changes coming for Payment Card Industry Data Security Standard (PCI DSS) in Version 3.2. The Council periodically reviews and updates PCI DSS to ensure it continues to protect against old threats and new emerging threats. The first portion of the changes are officially in effect, and the second portion come into effect later this year. Before we dive in, let's review the PCI DSS basics.

As the payment card industry rapidly expanded, the Payment Card Industry Security Standard Council (PCI SSC) developed a set of requirements called the PCI DSS. These specifications ensure that all companies that process, store, or transmit credit card information maintain a secure environment. PCI DSS applies to all organizations or merchants that accept, transmit, or store cardholder data, regardless of size or number of transactions.

Restaurants, retailers, hotels, doctors' and lawyers' offices, and much, much more, all need to watch for PCI DSS updates to remain compliant.

Are you compliant with PCI DSS Version 3.2, which requires increased network security?

By not upgrading to more secure protocols, you put your business at serious risk for a security breach. The following requirements just went into effect on February 1, 2018, for merchants and service providers:
  • Requirement 6.4.6 - Change management implementation and documentation; all relevant PCI DSS requirements must be implemented on all new or changed systems and networks. This change is to address organizations who are not following the change portions of these requirements.
  • Requirement 8.3.1 - Implement multi-factor authentication for any admin access to the cardholder data environment (CDE). This change is going into effect to minimize the number of breaches that have occurred due to phishing attacks of administrators.
The remainder of the changes are for service providers only:
  • Requirement 3.5.1 - Maintain documentation of the cryptographic architecture. This is to curtail service providers from offering end-to-end encryption solutions that do not meet the Council's P2PE standards.
  • Requirement 10.8 - Implement detection and reporting of critical security controls when they fail. Service providers will now have to provide proof that there is an alert when critical systems fail.
  • Requirement 10.8.1 - Respond and document failures of any critical security controls in a timely fashion. In addition to implementing alerting, service providers will also have to prove that they responded to the alert in a timely fashion.
  • Requirement - Implementation of six-month penetration testing of segmentation controls. The Council is requiring that penetration testing occur every six months or if changes are made that affect segmentation controls.
  • Requirement 12.4.1 - Assign responsibility for the cardholder data, PCI DSS compliance, create a PCI DSS charter, and communication plan to management.
  • Requirement 12.11.a - Quarterly management review of policy and process compliance with personnel.
  • Requirement 12.11.1 - Maintain documentation of the six-month management review to remain in compliance with 12.11.a.
The remainder of the changes to the standards will be enforced beginning July 1, 2018. Merchants and service providers must discontinue support for the Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) cryptographic protocols on or before June 30, 2018 to remain compliant. Although the protocols once provided the basis of secure network communications, they have been compromised and are no longer considered secure.

The PCI Security Standards Council website stresses the dangers that SSL and early TLS pose to merchants and providers:
  • There are many serious vulnerabilities in SSL and early TLS that, if left unaddressed, put organizations at risk of being breached. The widespread POODLE and BEAST exploits are just a couple examples of how attackers have taken advantage of weaknesses in SSL and early TLS to compromise organizations.
  • According to NIST, there are no fixes or patches that can adequately repair SSL or early TLS. Therefore, it is critically important that organizations upgrade to a secure alternative as soon as possible and disable any fallback to both SSL and early TLS.
So, what can you do now to protect yourself from SSL and early TLS vulnerabilities? Begin the process of migrating to safe protocols. While in that process, it is suggested to migrate to a minimum of TLS 1.1, or better yet, TLS 1.2, then patch TLS software and configure TLS securely.

Need help? Netsurion is here for you.

We've been helping merchants with PCI compliance since its inception by providing affordable managed network security solutions that make compliance easy and efficient.

Your focus should remain on running your business, not worrying about the status of your compliance. For more information on PCI Compliance, visit our compliance support resource.