Although version 3.2 of the PCI Data Security Standard (PCI DSS) was released over half a year ago, its impact will stretch much further into the future. In a way, the strategic introduction of the standard is the most noteworthy element about it. There are a few essential changes, but the projected runway provides more than enough time for organizations to brace themselves. As Payment Card Industry Security Standards Council's CTO Troy Leach stated in an interview, he believes the postponed update will give organizations the time they need to effectively implement security processes that help mitigate against cyberattacks. However, this does not mean that companies are off the hook, as today’s “most advanced” security technology can become a vulnerability to exploit for tomorrow’s cyber criminals. Follow along as the Rippleshot Team looks at The Key Highlights of PCI DSS 3.2.
When do I start?
Even though the PCI DSS 3.2 is available for assessments, and has been in effect since the end of April, the 3.1 assessment stayed available for organizations until October 31st. Also, all of the requirements that are new to PCI DSS 3.2 will have a generous grace period, taking effect on February 1st of 2018 instead of within a year or two. However, the timeline for upgraded encryption was more accelerated, as migration from SSL (Secure Sockets Layer) and TLS (Transport Layer Security) 1.0, both forms of cryptography, is mandated by June 30th, 2018. Service providers will be required to provide a “secure offering” by 2016, with the exception of certain point-of-sale (POS) or point-of-interaction (POI) systems.
What am I signing up for?
The key requirements included in the PCI DSS 3.2 are centered around a reformed change-management process, multi-factor authentication, service provider regulations, primary account number (PAN) masking, among others. Here are the most important to consider:
Validates change management processes so that organizations “analyze how changes may impact the environment and security controls [that are relied upon] to protect cardholder data.”
Requirement 12.1 and 12.1.1
Encourages service providers to maintain records in the form of quarterly reviews, and see the PCI DSS process as a ongoing effort instead of a one-time check by an assessor. Also, by maintaining such evidence, such as audit logs, vulnerability scan reports, firewall reviews, etc., the service provider can prepare for its next PCI DSS assessment.
Increases the frequency of penetration testing from once a year to once every six months, confirming that security protocols are in place and working
Emphasizes multi-factor authentication (the process of using two or more distinct technologies to authorize access to card data/ systems). Although this is currently a PCI DSS requirement for remote access, the updated version requires personnel that handles systems containing card data to undergo two-factor authentication
Ensures that the minimum number of digits of the PAN are displayed in order to perform business functions.
Want to learn more? Subscribe to Rippleshot’s Weekly Newsletter below: