Global credit card users will enjoy enhanced card data security, thanks to the recent update of PCI DSS standards. On April 28, 2016, the Payment Card Industry (PCI) issued Data Security Standard (DSS) 3.2, which updates DSS 3.1, and promises increased safety for global credit card users for the foreseeable future.
Why the Change?
The PCI Security Standards Council (SSC) is continuously monitoring the digital financial landscape for emerging trends, as well as threats to credit card users, their issuers and the related financial institutions. They have noted drastic changes in the payment acceptance sector, from the EMV chip rollout in the United States to advancements in the mobile payment sector. The new standard seeks to address challenges these changes may pose.
Additionally, the PCI DSS is now considered a mature standard, so incremental tweaks of existing rules will replace the introduction of entirely new standards. The extension of the period for migration away from the outdated SSL protocols to the more secure, current version of TLS is such a tweak. The new deadline for full migration is June 30, 2018.
Who is Affected?
Essentially, any administrators or service providers entrusted with protecting credit card data should carefully review the new version and begin planning for its full implementation. There are currently more than 700 global participating organizations that regularly accept credit card payments, and they have their own networks of affiliates. All these entities will be required to prove implementation of the new version specifically, and should also be prepared to show that all their security procedures are secure. Service providers that routinely aggregate large amounts of card data may be especially sensitive to the types of threats these modifications intend to address.
What Must They Do?
Testing and Documentation
To ensure customer data security, the revised standard requires added documentation and testing of existing systems to make sure that they’re keeping data safe with these newly added provisions:
- Newly added provisions 10.8 and 10.8.1 require more frequent scans for detection and reporting of critical security controls systems, to avoid unnecessarily long periods of intruder access;
- Newly added provision 220.127.116.11 requires penetration testing of segmentation controls by service providers every six months. Keeping the card data footprint as small as possible reduces the scope of opportunity for inappropriate access;
- Newly added provisions 12.11 and 12.11.1 require services providers to review card-accessing personnel every six months as well to ensure they’re up-to-date with PCI procedures and standards;
- Newly added provision 12.4.1 requires that upper management of all participants remains responsible for data management security. This requirement comes from instances where personnel changes removed the enterprise authority from the control of PCI compliance practices and confirmations.
- Entities must record the encryption processes they use, to ensure subsequent staff maintains those standards, and that management can accurately determine when upgrades are necessary; and
- The Designated Entities Supplemental Validation (DESV) process moves into 3.2, but as an extension of existing standards and not an outright requirement. These validation standards are useful to test for compliances and effective detection mechanisms, but are only required if that entity is instructed to perform the assessments by a payment brand or acquirer.
All Personnel with Access to Card Data Must Now Use Multi-Authentication Processes
Previously, this requirement was limited to workers with remote access to secured data banks. However, because unauthorized privileges and compromised credentials occur in almost every reported incident, under the new rule, any personnel with access to protected data must show two or more credentials, such as passwords, smart cards or tokens
PCI DSS 3.1 will expire on October 31, 2016, so enterprises should be working now to implement the new rules and their procedures. To give every entity the opportunity to gain proficiency with the revised protocols, 3.2 standards will be considered best practices, not requirements, until February 1, 2018.