The Payment Card Industry Data Security Standard (PCI DSS) was developed to follow the policy and standards of cardholder data security which consistent data security measures globally. PCI DSS provides a minimum of technical and operational requirements to protect data of the cardholders. PCI DSS applies to all operation which involved in payment card processing of cardholder data.
The card mandates the PCI Standard and reviewed by the Payment Card Industry Security Standards Council. This standard was created to increase controls of cardholder data to reduce credit card breaches. Compliance is performed annually, either by an external Qualified Security Assessor (QSA) or by a firm-specific Draft: Internal Security Assessor (ISA) that generates a Report on Compliance for organisations that are handling a large number of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.
PCI-DSS 3.2 changes Enforces In 2018
The Payment Card Industry Data Security Standard (PCI DSS) is a security standard for organisations to store or transmit credit card information. PCI DSS changes in Version 3.2 of the data that are requiring increased network security are enforced in 2018.
- There are many severe vulnerabilities in SSL and early TLS that, left unnoticed, which makes organisations at risk of being Security breached. The widespread POODLE and BEAST exploits are just a couple examples were attackers can take advantage of weaknesses in SSL and early TLS to compromise organisation’s data.
- There are no fixes or patches that can adequately repair SSL or early TLS (TLS1.0). Therefore, it is highly essential that organisations need to upgrade to a secure alternative as soon as possible, and disable any fallback to both SSL and early TLS (TLS1.0).
There are other significant changes in the standards that were effective on 1st of February 2018, for merchants and service providers:
- Requirement 6.4.6 — Change management implementation and documentation
- Requirement 8.3.1 — Multi-factor authentication for any admin access to the CDE
As we know many organisations are starting to use Gateway servers to centralise access and as a place to locate the multi-factor authentication mechanism. Use of a Gateway server can also be used to reduce the scope of the PCI DSS assessment.
The rest of the changes going into effect on Feb. 1, 2018, are for service providers only:
- Requirement 3.5.1 — Documented cryptographic architecture
- Requirement 10.8 —Detection and reporting of critical security controls failure
- Requirement 10.8.1 —Respond and document failures of any critical security controls
- Requirement 22.214.171.124 — Six-month penetration testing of segmentation controls
- Requirement 12.4.1 — Assign responsibility for PCI DSS compliance and create a PCI DSS charter
- Requirement 12.11.a —Six-month management review of policy and process compliance
- Requirement 12.11.1 —Documentation of the six-month management review
The daily adherence is the first step toward preparing for your first assessment after June 30, 2018, official PCI DSS 3.2 update enforcement date; It can do more to put yourself in position for superior results.
Preparations To Be Effectiv Fo PCI:DSS 3.2 2018 Changes
- Protect Your Cardholder Data Against External Threats:
The PCI DSS 3.2 updates provide more tools to protect the system against external threats that can result in prevention of data theft. It is strictly enforced to apply the multi-factor authentication requirements, also update your SSL and TSL 1.0 to the minimum new layer of protection, adhere to DESV requirements and rules regarding displaying card numbers, and perform regular penetration testing for crucial compliance and protection.
- Protect Your Cardholder Data Against Internal Threats:
While it is not aware of any organisation likes to imagine, sometimes the intruders are within. An unauthorised person may apply to your company at risk, so it is essential to the organisation to get employees who will work with sensitive cardholder information in a secure way.
We understand that how important protecting your valued customers’ cardholder data is in the organisation, we control. It is also understanding of the wrench that this type of update can throw into your team’s regular tasks. The teamwork can help you get up to speed on all the changes, helping you identify any gaps that might compromise your customers’ data. Although, there was an announcement from the 2017 European Community Meeting in October that this deadline is under review by the Council. However, until the Council issues an official update, we would recommend that you plan for not supporting these two protocols past that date or have appropriate compensating controls to address the risk.