The New PCI Data Security Standard 3.2 Has Arrived. Here’s What You Need To Know.
On 30 April 2016 the Payment Card Industry (PCI) Council released a new version of the PCI Data Security Standard – PCI DSS 3.2. It comes earlier in the year than previous releases, so it’s important to be prepared for the changes and to be clear on how they’ll affect your organisation. We’ve put together a summary of the major changes and their implications to make the process easier for you.
Why the early release?
The PCI Council opted for the earlier release date to formalise the TLS migration extended deadline that it announced late last year – from 30 June 2016 to June 30 2018. This will ensure that all merchants are aware of the changed deadline. In addition, the PCI DSS is now recognised as a mature standard so that future versions will be incremental modifications rather than wider scale, annual updates. Another factor is the anticipated changes to payment acceptance (eg. mobile payments and authentication methods) on the horizon; the earlier release will give merchants more time to plan their future security investments.
What has changed in PCI DSS 3.2?
The main changes in PCI DSS 3.2 from PCI DSS 3.1:
- June 30 2018 is the confirmed TLS migration deadline to replace insecure SSL/early TLS with secure TLS equivalents.
The new deadline replaces the June 30 2016 deadline published in PCI DSS 3.1. Despite the new, extended deadline, many companies are still working to the previous deadline to minimise risk. The easily exploitable vulnerabilities of SSL encryption can pose a threat to organisational information security. Migrating to the latest TLS as soon as possible is simply the safest choice for many businesses.
- Any display of PAN greater than the first six/last four digits requires a legitimate business need, with additional clarification for common masking scenarios.
Masking means hiding information from clear view and is not the same as encrypted data. For example, when you display your credit card number, you have to mask it. At the most, you can only show the first six and last four numbers. Going beyond this requirement without a legitimate business need – as specified in 3.2 – would deem you non-compliant. Another important thing to note: if your business stores PANs, you need to have a mechanism to encrypt and secure them.
- Maintain a documented description of cryptographic architecture – effective February 2018
- Change control processes must include verification of PCI DSS requirements impacted by a change – a new requirement effective February 2018
Some entities chosen by payment brands or acquirers will need to undergo extra validation, even following PCI DSS validation, to determine whether or not they have achieved compliance in accordance with their daily practices. For example, extra validation might be checking the change controls list of a merchant in the previous 12 months. Procedures showing day-to-day compliance could be checked, such as the mapping of suspicious events, documentation updates, etc.
- Multi-factor authentication for all personnel with non-console administrative access to the CDE, effective February 2018. This is in addition to the multi-factor authentication required for personnel with remote access to the CDE that was specified in version 3.1.
Multi-factor authentication, also called two-factor authentication, effectively secures your cardholder data environment. For correct configuration of multi-factor authentication, you need to have at least two out of three factors in hand:
- Anything you know (e.g. your username or password, etc.)
- Anything you have (e.g. getting a code from phone)
- Anything you are (e.g. your fingerprints)
- Detect and report on failures of critical security control systems – effective February 2018
- Perform penetration testing on segmentation controls at least every six months – effective February 2018
- Executive management need to establish responsibilities for the protection of cardholder data and a PCI DSS compliance program – effective February 2018
- Perform a minimum of reviews quarterly reviews on personnel compliance with security policies and operational procedures
What you need to do
Start planning now
Although some of the deadlines may seem far in the future, it makes more business sense to start planning now for how you’ll ensure compliance with PCI DSS 3.2, so you can seamlessly adopt the changes. This approach will save your time and minimise costs. Your organisation will be wise to spend time evaluating security investments, and to continue evaluating payment acceptance procedures and assessing inherent potential risks. Organisations that are not service providers should still evaluate new requirements. It’s worth checking if any of the security controls will provide benefit to your organisation, even if it is not related to compliance.
Review helpful resources
The SSL/early TLS deadline extension in PCI DSS 3.2 was previously announced in December 2015, so your organisation should already be on the path to addressing the issue. The Bulletin on Migrating from SSL and Early TLS is a great resource for step-by-step guidance to the migration process.
The PCI DSS Summary of Changes from 3.1 to 3.2 provides a full list of all the minor and major changes that appear in the new, updated standard. The main changes that we have mentioned above are referred to as ‘evolving requirements’ in the PCI DSS 3.2 summary document.
Stickman Consulting provides trusted IT security professional services to help you achieve PCI DSS 3.2 compliance. We start by assessing your current compliance status and then updating to the latest version 3.2. We’ll review the effect of the changes to your specific organisational environment and create a suitable action plan, for seamless and effective implementation. Please get in touch today or call us on 1800 785 626 if you’d like to know more about how to achieve PCI DSS 3.2 compliance.