New PCI Requirements On The Way
If you’re a business owner that accepts credit cards, then you’re required to adhere to the Payment Card Industry Data Security Standards or PCI requirements. These standards, better known as PCI DDS or PCI for short, “apply to any entity that processes credit cards, whether that entity is a B2B or B2C operation.”
As we discussed last year, “it’s your responsibility to know the rules as they apply to accepting credit cards. Failure to do so means you’ll be paying hefty fines to your bank for failing to protect your customers acceptably. Most importantly, you’ll be letting down the very customers who trust you with their information. Here are a few things every business owner should know before accepting credit cards.”
Because of the importance of PCI requirements, it’s essential that you’re up-to-speed on the latest PCI requirements, that are on the way. PCI DSS 3.2 was released in April 2016 and include the following changes.
Additional Multi-factor Authentication
Arguably the biggest change on the way is that multi-factor authentication will become a requirement for any personnel that has administrative access into the environments handling card data. In the past, this was applied only to those who has remote access from untrusted networks.
PCI Security Standards Council CTO Troy Leach further explains, “By multi-factor authentication we mean that two or more credentials must be used to authorize a person’s access to card data and systems. Examples of factors include something you know, such as a password or passphrase; something you have, such as a token or smart card; or something you are, such as a biometric.”
By adding this as “a requirement for any personnel with administrative access into the cardholder data environment, so that a password alone is not enough to verify the user’s identity and grant access to sensitive information, even if they are within a trusted network.”
Organizations have until February 2018 to comply to with this requirement.
Incorporation of “Designated Entities Supplemental Validation” (DESV)
“The DESV is a set of criteria that can help service providers and others address key challenges in maintaining ongoing security efforts to protect payments,” says Leach. “These include effective compliance program oversight; proper scoping of an environment; and ensuring effective mechanisms are in place to detect and alert on failures in critical security controls.”
Service providers must perform penetration tests segmentation controls of the network at least every six months, as well as run quarterly checks to ensure that their personnel are following security policies and procedures.
Extended Migration Dates for SSL/early TLS
Originally, requiring migration from SSL and TLS 1.0 to a more secure version of TLS (currently v1.1 or higher) was supposed to be completed by July 1, 2016. However, because there were vulnerabilities in SSL and early TLS, the PCI Council has pushed back the migration deadline to July 1, 2018. “Organizations can and should already be addressing this issue, starting with reviewing the Bulletin on Migrating from SSL and Early TLS” suggests Leach.
Besides those three major changes, Leach says that we can expect to see numerous other initiatives throughout the year. These include payment security guidance for SMBs, providing training programs for qualified installers to SMBS, and PCI DSS training for merchant banks.
“Moving forward, we expect incremental revisions like those in version 3.2 to address evolving threats to the payment landscape, with a focus on helping companies use this standard as a good framework for everyday security and business best practice,” says Leach.
If you want to ensure that your organization meets these new changes, take the following five steps;
- Evaluate whether or not your internal systems can meet the new standards
- Utilize the expertise of your IT team.
- Engage service providers in your plans to meet the deadline.
- Have a plan in place to configure all systems to stop using SSL or early TLS.
- Set internal deadlines to implement changes.
Is your organization prepared for the new PCI requirements?