The release of the next version of the Payment Card Industry (PCI) Data Security Standard (DSS) is upon us. Version 3.2 was published in late spring 2016 and will be considered best practice until the end of January 2018—and effective as a requirement starting February 2018.
Follow these PCI DSS 3.2 Requirements and Security Assessment Procedures to ensure your organization is prepared:
Procedure 1: Review How Your Organization Manages Authentication into the Cardholder Data Requirement
Fear not, multi-factor authentication is consistent with the current requirement or at least two-factor authentication for untrusted, remote access to cardholder data environment. The difference in the new PCI DSS requirements is that multi-factor authentication will now be required for anyone with administrative access to the cardholder data environment—sensitive information will now require more than a password for access.
Procedure 2: Ensure You Are Regularly Testing and Can Provide Evidence of Effective Security Controls
Ensuring your organization maintains payment protection security is an ongoing challenge for any PCI DSS-compliant business. In the new version, the Designated Entities Supplemental Validation (DESV) set of criteria is part of the standard itself, and is meant to help organizations with:
- Environment scoping
- Effective implementation of security failure detection and alerting mechanisms
- Optimized oversight of your compliance program
These requirements will help you test more often and ensure that you have evidence of effective controls.
Procedure 3: Prioritize Security to Ensure It Is a Top Consideration Every Day
The PCI Security Standards Council recommends approaching version 3.2 as an opportunity to reconsider how you are currently handling payments—how you accept, store, process, and transmit that data—and determine where critical security risks might be lurking. This updated version is meant to ensure organizations make security a daily priority. As the PCI Security Standards council stated in a recent blog post, “If there is an opportunity to minimize the footprint of cardholder data, then any adjustments for a new version of the PCI DSS can be more focused, compliance reporting more concentrated, and most importantly, areas where cardholder data must still be used, can be better monitored and protected.”
The Goal Is the Same
Some things remain the same, like the SSL/TLS migration requirements published in December 2015. The focus of PCI DSS compliance efforts is still to establish ongoing security processes to prevent, detect, and respond to attacks that might lead to data loss. With these proactive measures, you’ll be 3.2 ready ahead of the game.