Introduction
The Payment Card Industry Data Security Standard (PCI-DSS) was developed to follow the policy and standards of cardholder data security, which consistently provides data security measures globally. PCI-DSS provides minimum technical and operational requirements to protect the data of cardholders. PCI-DSS applies to all operations which are involved in the payment card processing of cardholders data.
The card mandates the PCI Standard and is reviewed by the Payment Card Industry Security Standards Council. This standard was created to increase the controls of cardholder’s data to reduce credit card breaches. Compliance is performed annually, either by an external Qualified Security Assessor (QSA), or by an Internal Security Assessor (ISA) whom generate a report on compliance for organisations by handling a large number of transactions or, by Self-Assessment Questionnaire (SAQ) for companies, handling smaller volumes.
Contents:
PCI-DSS 3.2 CHANGES ENFORCED IN 2018
PREPARATION TO BE EFFECTIVE FOR PCI-DSS 3.2 2018 CHANGES
CONCLUSION
HOW BRIKSINFOSEC HELPS YOU
CURIOUS TO READ OUR CAE STUDY
LAST BUT NOT THE LEAST
YOU MAYBE INTERESTED ON
PCI-DSS 3.2 changes Enforces In 2018
The Payment Card Industry Data Security Standard (PCI-DSS) is a security standard for organisations to store or transmit credit card information. The changes in PCI-DSS version 3.2 of the data are requiring increased network security and also are enforced in 2018.
-
There are many severe vulnerabilities in SSL and early TLS that were left unnoticed. This makes organisations at the risk of being breached. The widespread POODLE and BEAST exploits are just a couple of examples through which attackers can take advantage of weaknesses in SSL and early TLS to compromise organisation’s data.
-
There are no fixes or patches that can adequately repair SSL or early TLS (TLS1.0). Therefore, it is highly essential for organisations to upgrade to a secure alternative as soon as possible, and disable any fallback to both SSL and early TLS (TLS1.0).
There are other significant changes in the standards that were effective from 1st February 2018, for merchants and service providers:
-
Requirement 6.4.6 — Change management implementation and documentation.
-
Requirement 8.3.1 — Multi-factor authentication for any admin access to the CDE (Cardholder Data Environment).
As we know, many organisations are starting to use Gateway servers, to centralise access and as a place to locate the multi-factor authentication mechanism. Use of a Gateway server can also be used to reduce the scope of PCI-DSS assessment.
The rest of the changes into effect from 1st Feb, 2018, are for service providers only:
-
Requirement 3.5.1 — Documented cryptographic architecture.
-
Requirement 10.8 —Detection and reporting of critical security controls failure.
-
Requirement 10.8.1 —Respond to failures of any critical security controls in a timely manner.
-
Requirement 11.3.4.1 — Six-month penetration testing of segmentation controls.
-
Requirement 12.4.1 — Assign responsibility for PCI-DSS compliance and create a PCI-DSS charter.
-
Requirement 12.11.a —Six-month management review of policy and process compliance.
-
Requirement 12.11.1 —Documentation of the six-month management review.
The daily duty is the first step towards preparing for your first assessment after June 30, 2018, official PCI-DSS 3.2 update enforcement date. It can do more to qualify yourself in a position for getting superior results.
Preparations To Be Effectiv Fo PCI:DSS 3.2 2018 Changes
-
Protect Your Cardholder Data Against External Threats:
The PCI-DSS 3.2 updates, provides more tools to protect the system against external threats, resulting in the prevention of data theft. To be more secure, it is strictly advised to:
-
To apply the multi-factor authentication requirements.
-
To update your SSL and TLS 1.0 to the minimum new layer of protection.
-
Adhere to DESV requirements and rules, regarding displaying card numbers.
-
In performing regular penetration testing for crucial compliance and protection.
-
Protect Your Cardholder Data Against Internal Threats:
Many organisations aren’t even aware of the fact that, sometimes the intruders are within. An unauthorised person may put your company at risk, so it is essential for organisations to educate their employees, working with sensitive cardholder information in order to be aware of such attacks.
Conclusion
We understand the importance of protecting your customer’s cardholder data. Unified teamwork can help you to remain coherent with the latest changes and updates, helping you to identify any gaps that might compromise your customer’s data. Although, there was an announcement from the 2017 European Community Meeting in October that, this deadline is still under review by the Council. However, until the Council issues an official update, we would recommend you to remain unsupportive on these two protocols (SSL and TLS 1.0) past that date or, have an appropriate compensating controls to address the risk timely and properly.
HOW BRISKINFOSEC HELPS YOU:
Brisinfosec provides many swift compliance services. Regarding PCI-DSS service, Briskinfosec checks the extent to which our client’s financial data are secured. To strengthen our client’s data to the best, our security auditors successfully implement the latest policies and procedures of the PCI-DSS standards in the client company. Apropos of that implementation, we also carry out security assessment in auditing the policies correctly and ensure the procedures are successfully followed by the organisation.
CURIOUS TO READ OUR CASE STUDY?
Our stakeholder is one of the leading commercial bank throughout the globe, offering financial solutions through regional branches, internet, and mobile. They wanted us to conduct a proactive cybersecurity audit and also to check their financial policies. We competently audited their policies and have cited that process in our case study. Check it out.
LAST BUT NOT THE LEAST:
Have you checked out our monthly Threasploit Adversary Report which collects various cyber breaches and their respective impacts on organisations. Check it out to broaden your horizons on cyberattacks.