GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View flipbook of this issue

Care to Share?

Table of Contents

Lead Story

Disrupting the disruptors in payments and banking

Patti Murphy


Industry Update

Updated PCI DSS released

Regulatory moves trouble U.S. fintech sector

Innovators chip away at EMV transaction speed

Federal focus on mobile for financially underserved


Sizing up software-oriented distribution for acquirers

Brooke Ybarra

It's (still) hip to be traditional

Digital wallet real estate heats up

Ben Abel


Six ways to leverage MLS expertise

Dale S. Laszig
DSL Direct LLC


Street SmartsSM:
You can fly anywhere you want

John Tucker
1st Capital Loans LLC

Best processor moves

Adam Atlas
Attorney at Law

Marijuana sales: Current state and future opportunity

Brett Husak
National Bank Services

Are automatic electronic loan payments right for my customers?

Ty Kiisel
OnDeck Capital Inc.

Company Profile


New Products

Omnichannel, cloud-based POS


Harness the power of barcode beaming technology

Mobeam Inc.


Word play your way to success


Letter from the editors

Readers Speak

Break away for a day

Resource Guide


A Bigger Thing

The Green Sheet Online Edition

May 23, 2016  •  Issue 16:05:02

previous next

Updated PCI DSS released

The PCI Security Standards Council (PCI SSC) released an updated security standard on April 28, 2016, designed to protect merchants and consumers from increasing attacks against payments infrastructures. Merchants will have six months to comply with new guidelines, which may require up to two years to fully implement, security analysts have said.

The Payment Card Industry (PCI) Data Security Standard (DSS) Version 3.2, which becomes effective Oct. 31, 2016, was based on council member feedback and data breach trend analysis. The new standard has performed well in preliminary testing. "PCI DSS 3.2 includes a number of updates to help these entities demonstrate that good security practices are active and effective," said PCI SSC Chief Technology Officer Troy Leach.

Platform changes, enhancements

PCI DSS 3.2 mandates multifactor authentication for anyone with access to payment card data. This requirement previously applied only to remote access from unknown or untrusted networks.

Primary changes include "new requirements for administrators and services providers and the cardholder data environments they are responsible to protect," PCI SSC General Manager Stephen Orfei stated. "PCI DSS 3.2 advocates that organizations focus on people, process and policy, with technology playing an important role in reducing the overall cardholder data footprint."

Additional changes in PCI DSS 3.2 include revised Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) sunset dates; expansion of requirement 8.3 to include use of multifactor authentication for administrators accessing the cardholder data environment; and additional security validation steps for service providers and others, including "Designated Entities Supplemental Validation criteria."

Multifactor road map

Security analysts have raised concerns about complexities related to migrating from customary, embedded platforms to more secure authentication methods. Michael Petitti, Senior Vice President of Global Alliances at Trustwave, suggested full implementation could take up to two years. This is largely due to the need to migrate from SSL and early TLS, which were widely used and undisputed until inherent vulnerabilities were exposed, he said.

"The PCI SSC is mindful of the substantial scale of changes that are taking place, especially with regard to new technologies such as the use of chip cards in the U.S. and other technologies that are part of the transaction supply chain, such as mobile," Petitti said. "By communicating the new standard well in advance of migration deadlines, the PCI SSC is providing a window to enable all the transaction stakeholders, acquirers, ISOs, PSPs and merchants, to best determine how to prioritize their future security investments."

Requiring two-factor authentication for administrators within the cardholder data environment is a significant change to the standard and "a nod to internal threats," Petitti added.

People, process, policy

Steven Grossman, Vice President of Program Management at Bay Dynamics, a cybersecurity firm, sees potential gridlock ahead on the PCI compliance road map. "For large organizations that have legacy systems combined with legacy companies, adhering is a huge effort because there are so many moving parts," he said. "What frequently happens is the effort to become compliant becomes the driving force, taking precedence over protecting data."

If companies spent more time and energy protecting data, compliance would take care of itself, Grossman stated. "Compliance is simply a set of guidelines and not a guarantee against data breaches; Target, despite being compliant, was quite exposed," he said. "We see a lot in our travels around PCI reporting and PCI audits but that's backward, equivalent to a CFO deciding to pay suppliers once a quarter."

Grossman and other analysts emphasized that many companies already have multifactor authentication, encryption, penetration testing and reporting in place. PCI DSS version 3.2 takes things a bit further, and large conglomerates, in particular, may require more than six months to update their infrastructures.

For a copy of PCI DSS version 3.2, please visit

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Board Studios