The PCI Security Standards Council (PCI SSC) released an updated security standard on April 28, 2016, designed to protect merchants and consumers from increasing attacks against payments infrastructures. Merchants will have six months to comply with new guidelines, which may require up to two years to fully implement, security analysts have said.
The Payment Card Industry (PCI) Data Security Standard (DSS) Version 3.2, which becomes effective Oct. 31, 2016, was based on council member feedback and data breach trend analysis. The new standard has performed well in preliminary testing. "PCI DSS 3.2 includes a number of updates to help these entities demonstrate that good security practices are active and effective," said PCI SSC Chief Technology Officer Troy Leach.
Platform changes, enhancements
PCI DSS 3.2 mandates multifactor authentication for anyone with access to payment card data. This requirement previously applied only to remote access from unknown or untrusted networks.
Primary changes include "new requirements for administrators and services providers and the cardholder data environments they are responsible to protect," PCI SSC General Manager Stephen Orfei stated. "PCI DSS 3.2 advocates that organizations focus on people, process and policy, with technology playing an important role in reducing the overall cardholder data footprint."
Additional changes in PCI DSS 3.2 include:
- Revised Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) sunset dates as outlined in the Bulletin on Migrating from SSL and Early TLS, a PCI SSC resource guide.
- Expansion of requirement 8.3 to include use of multifactor authentication for administrators accessing the cardholder data environment
- Additional security validation steps for service providers and others, including "designated entities supplemental validation criteria," which previously were contained in a separate document of that name.