February 1, 2018 marks the deadline for businesses to adopt the new industry standard, PCI DSS 3.2, aimed at reducing and better responding to cyber attacks resulting in payment data breaches.
Originally announced in 2016, the industry has had almost two years to prepare for these increased requirements but a significant percentage of businesses are still not prepared, secure payment solutions provider, PCI Pal, warns.
“The industry has developed a culture of compliance cramming, treating PCI as an annual exam to be passed without working towards a culture of continuous compliance. For businesses in this ‘annual pass’ group, PCI DSS 3.2 could be a rude awakening because it requires evidence of continuous compliance instead of a pass/fail,” said Geoff Forsyth, CTO at PCI Pal.
PCI DSS 3.2 requirements
Primary requirements of PCI DSS 3.2 include:
- Expansion of requirement 8.3 to include use of multi-factor authentication for administrators accessing the cardholder data environment
- Additional security validation steps for service providers and others, including the “Designated Entities Supplemental Validation” (DESV) criteria.
Despite existing data security standards, many companies struggle to ensure continuous compliance – data taken from a 2017 report found that at the time of data compromise the average merchant is not compliant with almost half (47%) of current PCI DSS requirements. Of those that do pass compliance checks, almost a third are not compliant just 12 months later, according to Verizon’s PCI DSS Compliance report.
PCI DSS 3.2 will address compliance cramming
Forsyth continues: “To be PCI compliant is a constant process. The annual assessment has, to date, only been able to check that the correct processes are in place. PCI DSS 3.2 will change that approach, requiring evidence that device inventories and configuration standards are kept up to date, and security controls are applied where needed.
“Companies should no longer rely on outdated workarounds such as pause-and-resume. The recent spate of high-profile security has thrust this issue into the spotlight but this new standard will ensure it stays front of mind for the industry at large.”