PCI DSS 3.2 : Are You Compliant?
If you work for a company who takes card payments from customers over the phone, you are responsible for keeping that data as safe and secure as possible. This is not just to protect your customers but to protect your business as well. PCI DSS 3.2 was introduced in April 2016, and it’s been considered best practice in the industry since the retirement of PCI DSS 3.1 in October 2016. Beginning in February 2018, you can’t be PCI DSS compliant without meeting the standards of 3.2. Because technology continues to evolve and change, the standards of regulations must change also. Here are the highlights of PCI DSS 3.2:
- Multi-Factor Authentication: PCI DSS 3.2 makes it mandatory for all non-console administrative access to CDEs, even if the individual is not remote.
- Pan Storage: only the first six and last four digits of a primary account number (PAN) can be displayed. The rest must be masked. If employees need to see more than these 10 approved digits, organizations must list who has access and document the reasons behind it.
- New Process for Service Providers: this update includes new requirements (and sub-requirements) for service providers. These changes instruct providers to detect and notify customers of failing critical security control systems, maintain documentation on cryptographic architecture, perform quarterly reviews for security personnel, and more.
- Security Controls for CDE Changes: If an organization makes a change in their cardholder data environment, they are required to set up proper security controls immediately following the change.
- SSL and Early TLS Migration: all PCI-compliant organizations have until June 30, 2018 to migrate from SSL and early TLS protocols to TLS 1.1 or higher. For those considering a move to TLS 1.1, this is acceptable; however, PCI Security Standards Council does suggest implementing a later version of TLS, like TLS 1.2, even though it’s not the minimum required. In some cases, TLS 1.1 is no longer considered a strong choice against current protocol vulnerabilities.
Given increasing awareness surrounding cyberattacks, i’s not surprising PCI DSS regulations are ramping up its efforts and focus on security. Quarterly reviews (and associated documentation) are now required for service provider personnel to confirm they’re trained up on PCI security policies, and all standards and procedures. It’s no longer enough to reach compliancy, you must continue to evolve as the compliance evolves. 2W Tech’s Cybersecurity Compliance Program was designed to support businesses with their compliance obligations. Most organizations must abide by and maintain a standard for controls that safeguard the confidentiality and privacy of information stored and processed. We work hand in hand with you to learn more about your required compliances, help obtain proper agreements, and access relevant system architecture information. Give us a call today to get started meeing your PCI DSS 3.2 compliance.
7 Steps to a Holistic Security Strategy
Interested in reading this article? Click the button below to download this asset.