The PCI Security Standards Council (PCI SSC) released an updated security standard on April 28, 2016, designed to protect merchants and consumers from increasing attacks against payments infrastructures. Merchants will have six months to comply with new guidelines, which may require up to two years to fully implement, security analysts have said.
The Payment Card Industry (PCI) Data Security Standard (DSS) Version 3.2, which becomes effective Oct. 31, 2016, was based on council member feedback and data breach trend analysis. The new standard has performed well in preliminary testing. "PCI DSS 3.2 includes a number of updates to help these entities demonstrate that good security practices are active and effective," said PCI SSC Chief Technology Officer Troy Leach.
PCI DSS 3.2 mandates multifactor authentication for anyone with access to payment card data. This requirement previously applied only to remote access from unknown or untrusted networks.
Primary changes include "new requirements for administrators and services providers and the cardholder data environments they are responsible to protect," PCI SSC General Manager Stephen Orfei stated. "PCI DSS 3.2 advocates that organizations focus on people, process and policy, with technology playing an important role in reducing the overall cardholder data footprint."
Additional changes in PCI DSS 3.2 include revised Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) sunset dates; expansion of requirement 8.3 to include use of multifactor authentication for administrators accessing the cardholder data environment; and additional security validation steps for service providers and others, including "Designated Entities Supplemental Validation criteria."
Security analysts have raised concerns about complexities related to migrating from customary, embedded platforms to more secure authentication methods. Michael Petitti, Senior Vice President of Global Alliances at Trustwave, suggested full implementation could take up to two years. This is largely due to the need to migrate from SSL and early TLS, which were widely used and undisputed until inherent vulnerabilities were exposed, he said.
"The PCI SSC is mindful of the substantial scale of changes that are taking place, especially with regard to new technologies such as the use of chip cards in the U.S. and other technologies that are part of the transaction supply chain, such as mobile," Petitti said. "By communicating the new standard well in advance of migration deadlines, the PCI SSC is providing a window to enable all the transaction stakeholders, acquirers, ISOs, PSPs and merchants, to best determine how to prioritize their future security investments."
Requiring two-factor authentication for administrators within the cardholder data environment is a significant change to the standard and "a nod to internal threats," Petitti added.
Steven Grossman, Vice President of Program Management at Bay Dynamics, a cybersecurity firm, sees potential gridlock ahead on the PCI compliance road map. "For large organizations that have legacy systems combined with legacy companies, adhering is a huge effort because there are so many moving parts," he said. "What frequently happens is the effort to become compliant becomes the driving force, taking precedence over protecting data."
If companies spent more time and energy protecting data, compliance would take care of itself, Grossman stated. "Compliance is simply a set of guidelines and not a guarantee against data breaches; Target, despite being compliant, was quite exposed," he said. "We see a lot in our travels around PCI reporting and PCI audits but that's backward, equivalent to a CFO deciding to pay suppliers once a quarter."
Grossman and other analysts emphasized that many companies already have multifactor authentication, encryption, penetration testing and reporting in place. PCI DSS version 3.2 takes things a bit further, and large conglomerates, in particular, may require more than six months to update their infrastructures.
For a copy of PCI DSS version 3.2, please visit www.pcisecuritystandards.org/document_library.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next