On February 1st 2018, PCI DSS 3.2 comes into force and is quite an evolution for any company involved in payment card processing, or the storage, processing or transmission of sensitive cardholder data—including its authentication. That’s all financial institutions, merchants and service providers.
The Payment Card Industry Data Security Standard was developed to encourage and enhance cardholder data security and facilitate broad adoption of consistent data security measures globally. The ultimate aim is to reduce credit card fraud. Individual payment brands such as Visa and MasterCard, Discover, AMEX and JCB enforce compliance with the PCI DSS and determine on any non-compliance penalties. To be considered compliant, companies must undergo a security audit by an independent body.
The PCI DSS covers six categories, 12 requirements and over 200 different specifications.
The main updates in version 3.2 are as follows:
- Multi-factor authentication; Any individual who accesses systems such as databases, network modules and email servers which hold credit card data will be required to authenticate themselves with MFA. This is mandatory for all employees with non-console administrative access to Cardholder Data Environments (CDEs).
- Primary Account Number Storage; Only the first six and last four digits of a customer’s PAN are allowed to be displayed to an employee. The remaining digits must be masked. Companies must list who can see more than these 10 approved digits and provide reasons for why this is the case.
- Migration to TLS; All PCI DSS compliant firms have until June 30, 2018 to migrate from SSL and early TLS protocols to TLS 1.1 as a minimum. TLS 1.2 is recommended however.
- New Rules for Service Providers; There are five new requirements (and multiple sub-requirements) for service providers. Among other measures, providers must now detect and notify customers of failing critical security control systems, maintain records on all cryptographic architecture, and perform quarterly reviews for security personnel.
- Ensuring CDE changes are secure and compliant; If a company changes anything in their CDE, it must immediately set up proper security controls. Any PCI DSS requirements impacted by the new environment must then be re-verified to ensure continued compliance with all PCI DSS standards.
As you can see, these changes are extensive. And the penalties for non-compliance are significant. Organizations can face big fines, revenue loss, reduced customer numbers and damage to reputation and trust.
This regulation affects the retail sector too. Merchants that do not comply may be subject to fines, card replacement costs and costly forensic audits should a data breach event occurs.
Companies should already be far along the road to compliance by now, but should definitely be prioritizing working with partners on encryption, key management and authentication solutions.
It is vital that organizations get a handle on this. Last year the data breaches were the worst on record – just one example was Equifax, which lost the details of 143 million Americans, including credit card data. Billions of dollars are lost each year thanks to fraud and hopefully PCI DSS 3.2 puts in place the safeguards needed to reduce this burden.
Gemalto can help your company meet the following goals and ensure compliance:
- Build and Maintain a Secure Network
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
If you’re interested, please get in touch about our PCI DSS Compliance Solutions