Blog » Business Tips » New PCI Requirements On The Way

New PCI Requirements On The Way

Updated on January 17th, 2022
New PCI Requirements

If you’re a business owner that accepts credit cards, then you’re required to adhere to the Payment Card Industry Data Security Standards or PCI requirements. These standards, better known as PCI DDS or PCI for short, “apply to any entity that processes credit cards, whether that entity is a B2B or B2C operation.”

As we discussed last year, “it’s your responsibility to know the rules as they apply to accepting credit cards. Failure to do so means you’ll be paying hefty fines to your bank for failing to protect your customers acceptably. Most importantly, you’ll be letting down the very customers who trust you with their information. Here are a few things every business owner should know before accepting credit cards.”

Because of the importance of PCI requirements, it’s essential that you’re up-to-speed on the latest PCI requirements, that are on the way. PCI DSS 3.2 was released in April 2016 and include the following changes.

Additional Multi-factor Authentication

Arguably the biggest change on the way is that multi-factor authentication will become a requirement for any personnel that has administrative access into the environments handling card data. In the past, this was applied only to those who has remote access from untrusted networks.

PCI Security Standards Council CTO Troy Leach further explains, “By multi-factor authentication we mean that two or more credentials must be used to authorize a person’s access to card data and systems. Examples of factors include something you know, such as a password or passphrase; something you have, such as a token or smart card; or something you are, such as a biometric.”

By adding this as “a requirement for any personnel with administrative access into the cardholder data environment, so that a password alone is not enough to verify the user’s identity and grant access to sensitive information, even if they are within a trusted network.”

Organizations have until February 2018 to comply to with this requirement.

Incorporation of “Designated Entities Supplemental Validation” (DESV)

“The DESV is a set of criteria that can help service providers and others address key challenges in maintaining ongoing security efforts to protect payments,” says Leach. “These include effective compliance program oversight; proper scoping of an environment; and ensuring effective mechanisms are in place to detect and alert on failures in critical security controls.”

Service providers must perform penetration tests segmentation controls of the network at least every six months, as well as run quarterly checks to ensure that their personnel are following security policies and procedures.

Extended Migration Dates for SSL/early TLS

Originally, requiring migration from SSL and TLS 1.0 to a more secure version of TLS (currently v1.1 or higher) was supposed to be completed by July 1, 2016. However, because there were vulnerabilities in SSL and early TLS, the PCI Council has pushed back the migration deadline to July 1, 2018. “Organizations can and should already be addressing this issue, starting with reviewing the Bulletin on Migrating from SSL and Early TLS” suggests Leach.

Besides those three major changes, Leach says that we can expect to see numerous other initiatives throughout the year. These include payment security guidance for SMBs, providing training programs for qualified installers to SMBS, and PCI DSS training for merchant banks.

“Moving forward, we expect incremental revisions like those in version 3.2 to address evolving threats to the payment landscape, with a focus on helping companies use this standard as a good framework for everyday security and business best practice,” says Leach.

If you want to ensure that your organization meets these new changes, take the following five steps;

  • Evaluate whether or not your internal systems can meet the new standards
  • Utilize the expertise of your IT team.
  • Engage service providers in your plans to meet the deadline.
  • Have a plan in place to configure all systems to stop using SSL or early TLS.
  • Set internal deadlines to implement changes.

Is your organization prepared for the new PCI requirements?

Chalmers Brown - Former CTO of Due

Chalmers Brown - Former CTO of Due

I'm Chalmers Brown and former CTO of Due. I'm a big fan of technology and building financial products that help people better their lives. I have a passion for financial products that help people. I build complex financial infrastructure protocols that help scale financial companies. They are secure and support millions of customers worldwide.

About Due

Due makes it easier to retire on your terms. We give you a realistic view on exactly where you’re at financially so when you retire you know how much money you’ll get each month. Get started today.
Categories

Due Fact-Checking Standards and Processes

To ensure we’re putting out the highest content standards, we sought out the help of certified financial experts and accredited individuals to verify our advice. We also rely on them for the most up to date information and data to make sure our in-depth research has the facts right, for today… Not yesterday. Our financial expert review board allows our readers to not only trust the information they are reading but to act on it as well. Most of our authors are CFP (Certified Financial Planners) or CRPC (Chartered Retirement Planning Counselor) certified and all have college degrees. Learn more about annuities, retirement advice and take the correct steps towards financial freedom and knowing exactly where you stand today. Learn everything about our top-notch financial expert reviews below… Learn More