PCI DSS - the Payment Card Industry Data Security Standard - regulates merchants and service providers that store, process or transmit cardholder data. Naturally, as the payment card industry environment continues to change so too must PCI DSS. If you’re responsible for PCI compliance in your organization you therefore need to stay abreast of any new PCI requirements that are coming into effect and make sure your company is compliant.
The latest version of PcI DSS (3.2) was announced in April 2016. Until February 2018, it’s changes were considered best practice, however the passing of this deadline now makes them mandatory. If you haven’t already prepared to meet with the new PCI DSS Requirements then it’s time to do so now.
So what’s changed?
There are 4 significant changes that apply to merchants (additional PCI changes relate to service providers only). In this article we’ll look at the 4 main PCI DSS changes you ought to be aware of.
PCI DSS 3.2 COMPLIANCE - MULTI-FACTOR-AUTHENTICATION
Prior to PCI DSS 3.2, two-factor authentication was only required by people accessing Cardholder Data Environments (CDEs) remotely. However, under the new PCI rules, Multi-Factor Authentication (MFA) is mandatory for ALL non-console administrative access to CDEs, even if the individual is not remote.
According to the PCI Council “Anyone with non-console administrative access to systems or devices in the Cardholder Data Environment (CDE) must have multi-factor authentication, so that a password alone is not enough to verify the user’s identity and grant access to sensitive information, even if they are within a trusted network” (PCI Security Standards Preparing for PCI 3.2)
PCI DSS 3.2 COMPLIANCE - PAN STORAGE
PAN stands for Primary Account Number. The new version of PCI DSS requires that only the first 6 and last 4 digits of a PAN can be displayed. The rest of the number must be masked. If staff need to see more than the 10 approved digits, organizations are required to list who has access to the full PAN and document the reasons why access is needed.
It’s true that masking has always been a requirement of PCI DSS. This update simply clarifies that the display of PANs greater than the 10 digit rule must have legitimate business need. The rationale behind the measure is to ensure that data is adequately encrypted in the event of a data breach.
PCI DSS 3.2 COMPLIANCE -SECURITY COMPLIANCE FOR CHANGES TO THE CARDHOLDER DATA ENVIRONMENT
A 2015 PCI Compliance Report from Verizon found that only 29% of companies were still PCI compliant a year after their validation. PCI DSS 3.2 attempts to improve this figure by ensuring that organizations are proactively checking changes to the Cardholder Data Environment and remaining consistent with updated security controls.
With that in mind, the new PCI rules state that: “Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable.”
Your organization should:
- Have a documented definition for what your organization considers a ‘significant change’.
- Be able to identify and document all significant changes through your change management system.
- Be able to prove that vulnerability scanning, penetration testing and risk assessment updates are conducted as a result of the significant change.
PCI DSS 3.2 COMPLIANCE -SSL AND EARLY TLS MIGRATION
The deadline for all companies to migrate from weak encryption methods like SSL and TLS 1.0 to TLS 1.1 or above ( ideally 1.2) is June 30 2018.
The reason for this change is that SSL and early TLS protocols have simply been around too long. At the ripe old age of a decade they can no longer keep up with technological change .
According to the PCI Security Standards Council and NIST, “there are no fixes or patches that can adequately repair SSL or early TLS. Therefore, it is critically important that organizations upgrade to a secure alternative as soon as possible and disable any fallback to both SSL and early TLS.”
It’s recommended to start planning for it asap, because a change like this can take time.
Got any questions about PCI Compliance that weren't covered off here? Please feel free to ask in the comment box below.