PCI DSS 3.2 is out: What’s new?

The Payment Card Industry Security Standards Council has published the latest version of PCI DSS, the information security standard for organizations that handle customer credit cards.

Changes and improvements in PCI DSS 3.2 include:

Multi-factor authentication will be required for all administrative access into the cardholder data environment. Previously, use of multi-factor authentication was only a must when it was accessed remotely, by an untrusted user/device.

“This will not impact machine authentication where one system is communicating with another as it is intended for personnel authentication; nor will it impact administrators accessing directly from the console,” PCI Security Standards Council CTO Troy Leach explained.

The “Designated Entities Supplemental Validation” (DESV) – a set of steps that tell an entity how they can meet PCI DSS requirements – have now been incorporated into the standard. Entities asked by an acquirer or payment brand to demonstrate that they are maintaining compliance should use them to do so.

Service providers get several new requirements, such as maintaining a documented description of the cryptographic architecture and reporting on failures of critical security control systems, establishing responsibility for protection of cardholder data and the PCI DSS compliance program, regular penetration testing on segmentation controls, proving that its top executives have an undestanding of PCI DSS compliance, etc.

Migration from SSL and TLS v1.0 to TLS v1.1 and higher must be performed by July 1, 2018 (here’s why).

The new requirements introduced in PCI DSS 3.2 will be considered best practices until 31 January 2018, and on 1 February 2018 they become requirements (all except the SSL/TLS migration).

“Anytime a new standard is released it provides organizations an opportunity to re-evaluate their existing security posture and whether they should make adjustments prior to applying the new requirements. We encourage organizations to first consider how they currently accept payments and how they store, process and transmit that data. Is there a different business approach? A way to eliminate unnecessary storage? Or technology like point-to-point encryption that can be deployed?” Leach explained.

“The incremental revisions in 3.2 provide an opportunity to address a few critical security risks and evaluate approaches for how best to accept payments securely in the future.”

Brian NeSmith​, CEO at ​Arctic Wolf Networks, says that the expected new PCI standards fall far short of actually improving the security of cardholder data.

“History has proven that this rear view mirror approach to security – focusing on protecting the assets alone does not meaningfully improve security. By the time you see it, it’s too late; it’s already happened,” he explained. “What the industry really needs is to improve its threat detection and response capabilities in order to catch the bad guys before the damage is done.”

Billy Austin, VP of Security at MAX Risk Intelligence by LOGICnow, notes that PCI DSS falls short in many areas: “Attackers are successful for numerous reasons, although at the end of the day, they are focused on systems outside of these ‘PCI DSS’ controlled zones. The two most popular attacks are extortion and exfiltration. Extortion is the means of coercing one to pay for compromised data while exfiltration is the means of extracting data in an unauthorized manner. Data thieves have access to a plethora of automated black market attack code. What’s frightening is they are using old techniques to proliferate systems and most are ‘compliant’ organizations.”