It's that time of year again… time for the PCI Council to flip the industry on its head and create a lot of buzz around the new changes within the PCI Security Standard. So, what’s new?
Well, according the powers that be, don’t expect version 4.0 to be out anytime soon. In fact, most changes to the Standard (for the foreseeable future) will be incremental in nature. Thus, we are presented with PCI DSS 3.2. That’s good news for the industry… right?
Let’s take a look at 8 of the most impactful changes within the newest version of the Standard that you don’t want to miss:
- Service providers must document and maintain a description of their architecture as it relates to cryptographic functions. (PCI DSS – 3.5)
- Change control procedures must include steps to identify and address PCI Requirements that could be impacted by the change. (PCI DSS – 6.4)
- THIS IS A BIG ONE… all non-console administrative access must utilize multi-factor authentication for access to the CDE. (PCI DSS – 8.3)
- Service providers must detect and report failures of critical security controls to their customers. (PCI DSS – 10.8)
- Service providers must perform penetration testing every SIX MONTHS on the controls they use to enforce segmentation.(PCI DSS – 11.3)
- The executive team for services providers must now establish responsibilities for the protection of cardholder data and the PCI DSS Requirements. (PCI DSS – 12.4)
- A new requirement for service providers’ executive management to establish responsibilities for the protection of cardholder data and a PCI DSS compliance program. (PCI DSS – 12.4)
- Service providers must confirm on a QUARTERLY BASIS that personnel are following security policies and procedures. (PCI DSS – 12.11)
So, what’s the good news here? Well, if you’re a merchant the good news is that, aside from access control, most of the control enhancements are focused on service providers. Why is this? Service providers may represent a more systemic risk to payment processing systems. Thus, they have additional scrutiny and enchantments to deal with.
If you’re a service provider you’ll definitely be working to implement new security controls or enhance existing ones within your cardholder data environment. The good news for you is that the Council has given ample time to implement the new control requirements before they become active. New controls must be implemented by February, 2018.
We understand these changes may seem overwhelming and make PCI compliance appear like even more of a hassle. However, having these processes and procedures in place not only help you obtain compliance but also help your organization protect its valuable data. If you have any questions regarding the updates within PCI DSS 3.2 or concerns about other compliance or data security issues, please feel free to reach out to us at firstname.lastname@example.org.
Greg is the Vice President & General Manager of CompliancePoint’s Information Security Practice. Greg has over 15 years of experience with Information Security, Cyber Security, and Risk Management. His knowledge spans across multiple industries and entities including healthcare, government, card issuers, banks, ATMs, acquirers, merchants, hardware vendors, encryption technologies, and key management.