The latest iteration of the Payment Card Industry Data Security Standards (PCI DSS 3.2) was released at the end of April. As with any major industry standard, this new version of PCI gives you, a payments consultant, an opportunity to educate your merchants on the changes. After all, PCI is a complex topic full of acronyms and industry jargon. Your merchants likely don’t have the time or attention spans to read through the full document (titled PCI DSS available to download on this page) and distill their action items. That’s where you come in. And to make it easy on you, we’re giving you the CliffsNotes for PCI DSS 3.2.
In a nutshell, the revised standards reinforce what the PCI Council has been trying to beat over our heads for years: PCI compliance is an ongoing process, not a once-and-done checklist. Version 3.1 will expire on October 31, 2016, but businesses have until February 1, 2018 to implement the new requirements outlined in 3.2.
Here are the key differences between 3.1 and 3.2.
1. Use multi-factor authentication instead of two-factor authentication
The Council clarified that any personnel with administrative access into a cardholder data environment must provide at least two or more credentials to obtain access. This applies to any administrator, third-party or business employee. Version 3.1 only called for two-factor authentication.
Why? A password alone is not enough to verify the user’s identity and grant access to sensitive information, even if they are within a trusted network.
What merchants can do: Merchants should review how they are currently managing authentication. Credentials can be something you know (such as a password), something you have (such as a token or smart card), or something you are (such as a biometric, like fingerprint or voice recognition).
2. ONLY if instructed, some merchants will need to follow additional criteria
The Council added an appendix of additional testing criteria that are ONLY applicable if a merchant is instructed by an acquirer or payment brand. If instructed, the merchant will need to undergo an assessment according to the new document titled PCI DSS Supplemental Designated Entities Validation (DESV). The document is available to download on this page. Organizations that are most likely to fall into this category include those storing, processing or transmitting large volumes of cardholder data, providing aggregation points for cardholder data or businesses that have suffered significant or repeated data breaches in the past.
Why? Merchants at higher risks of data breaches need stricter controls.
What merchants can do: Follow the general standards and goals (see below). If a merchant is interested in going above and beyond the requirements, follow the additional criteria outlined in the document.
3. New requirements for service providers
There are many new requirements for service providers, which are business entities that are directly involved in the processing, storage, or transmission of cardholder data on behalf of another business. For example, this could be a payment processor such as Clearent, a managed service provider that offers managed firewalls, IDS and other services or a hosting provider.
The new requirements include mandatory penetration testing every six months, instead of once a year, to confirm that security controls are working properly. Quarterly reviews of internal security policies and operational procedures are also recommended, and there’s a new requirement for executive management to establish responsibility for protection of cardholder data and the PCI DSS compliance program.
Why? You’re only as strong as your weakest link. Even when merchants follow PCI standards on a regular basis, the third parties they work with can negate their security efforts if they don’t practice PCI compliance as well.
What merchants can do: Make sure that the third parties they work with are PCI compliant as well. Even though these changes apply to service providers, the principles can benefit small business owners and can help them adopt stronger security practices.
Here is a reminder of the major milestones and goals for merchants to achieve PCI DSS 3.2 compliance. Read the full guide titled PCI DSS 3.2 Resource Guide available to download on this page.