PCI DSS version 3.2 to be released 28 April 2016

money-256319_1920The latest version of the Payment Card Industry’s Data Security Standard (PCI DSS) will be released on Thursday.  The new version features stronger rules for data access, criteria for ongoing compliance programmes, and a renewed emphasis on the need to migrate to a more secure web protocol, or Transport Layer Security (TLS).

The current version, PCI DSS 3.1, will be retired on 31 October 2016.

Multi-factor authentication

Multi-factor authentication will be one of the biggest changes being introduced by PCI DSS 3.2 according to Troy Leach of the PCI Security Standards Council (multi-factor authentication is where two or more credentials must be used to authorise a person’s access to card data and systems).

Version 3.2 proposes multi-factor authentication for all “personnel with administrative access into the cardholder data environment (CDE), so that a password alone is not enough to verify the user’s identity and grant access to sensitive information,” said Leach.

Multi-factor authentication will apply to any administrator, third party or internal, with the authority to change systems and other credentials that could compromise the security of the CDE.

Companies are urged to review current administrator roles and their access to establish how changes will need to be made in line with version 3.2.

Designated Entities Supplemental Validation

Version 3.2 will also include “Designated Entities Supplemental Validation” criteria (that was introduced last year as a separate publication) that can help service providers address key challenges in maintaining ongoing security efforts.  These include effective compliance oversight, proper scoping of the CDE, and implementing effective alerts to detect failures in critical security controls.

New service provider requirements – executive leadership accountability

Several new requirements have been introduced for service providers due to the important role they play in securing cardholder data for their customers.

These include developing documented descriptions of the cryptographic architecture and reporting on failures of critical security control systems.  There is also a requirement for executive management to take responsibility for protecting cardholder data.

“If you are part of senior leadership in an organization and entrusted to protect the cardholder data of your customers, you should be fully aware of your PCI DSS responsibility,” Leach said.

Previous guidance about migrating from SSL to TSL still applies.

Get expert advice and support

Contact IT Governance’s specialist PCI QSA consultancy team for advice on how to prepare for your next ROC audit now by emailing us on servicecentre@itgovernance.co.uk or calling us on +44 (0) 845 070 1750.