Prepare for the 2018 PCI DSS 3.2 Changes: A Compliance Resource
As the sentinel for your organization’s IT system that includes all of your consumer data obtained through credit card payments, you understand the challenges and the value of protecting that data. Your concern is not remotely unfounded, as more than 510 million records holding sensitive customer data have been breached since January 2005, per the PCI Security Standards Council.
What Is the PCI DSS and Why Is It Important?
You’re probably quite familiar with the Payment Card Industry Data Security Standard (PCI DSS), which is a unified collection of payment account data security requirements. When implemented, these information security standards serve to protect your company, as well as financial institutions, from data breaches. Most importantly, following these protocols helps to prevent theft of cardholder data.
A Brief History of the PCI DSS
The first version of PCI DSS, or PCI DSS 1.0, was released December 15, 2004, and was designed when five major credit card issuers—Visa, MasterCard, American Express, Discover and JCB—pooled their individual security measures to increase controls around cardholder data. Once these companies developed protocols that created an added layer of protection, holding merchants to certain standards when collecting, storing, processing and transmitting consumer data, the PCI DSS (“the Standard”) was formed.
Since its inception, The Standard has gone through several upgrades to reflect emerging technologies, updates of risks and threats, and for added clarity and flexibility.
What Is the Timeline for the PCI DSS 3.2 Update?
The latest PCI DSS 3.2 changes were developed and initially published in April 2016, providing a brief description of the upcoming changes and a timeline. Initially set for release on February 18, 2018, the official released date has now been pushed back to June 30, 2018. Until then, PCI DSS 3.2 will still be considered “best practices.”
What Changes Can You Expect from the PCI DSS 3.2 Update?
There are a few major changes you can expect from the PCI DSS 3.2 update, as well as several smaller changes that are set to protect your customers’ cardholder data, along with your company and your reputation.
The PCI Security Standards Council has announced that one of the most significant change that accompanies PCI DSS 3.2 is the addition of “multi-factor authentication as a requirement for any personnel with administrative access into the cardholder data environment, so that a password alone is not enough to verify the user’s identity and grant access to sensitive information, even if they are within a trusted network.”
This basically means that, upon implementation of PCI DSS 3.2, users must provide two or more credentials to gain access to credit card data and related systems.
The Transition to a More Secure Version of TLS
The transition from SSL and TLS 1.0 to a higher layer of protection—at least at 1.1—was originally planned for a June 30, 2016, but was extended for official reinforcement on June 30, 2018.
Various Additional Changes to PCI DSS 3.2
PCIComplianceGuide.org has shared several additional moderate changes to PCI DSS 3.2, including:
- Added Service Provider Scrutiny.
- New DESV Requirements.
- Updated Rules Regarding Displaying Card Numbers.
- Changes to Requirements in the SAQs.
Each time a service provider makes changes to its management, they become subject to additional penetration testing, on a more frequent basis.
An acquiring or payment brand can deem certain organizations that require additional validation to existing PCI DSS requirements as Designated Entities Supplemental Validation (DESV). Many companies use DESV validation standards; even if not required to, as a matter of best practices. The specific updates regarding DESV have not been announced yet, but you will find them in the Appendices in the DSS.
This change will relate to the upcoming changes to overall card number standards.
Some of the Self-Assessment Questionnaires (SAQs) will have additional requirements while others will have fewer requirements, but PCICompliance.org does not anticipate a great deal of impact with these changes.
What Do the PCI DSS 3.2 Changes Mean for Your organization?
You may already be implementing the changes to PCI DSS 3.2 as measures of best practices, but it is clear that each change serves to add protection for your company, related financial institutions, and your valued customers.
While periodic assessments are critical for your organization, the PCI DSS 3.2 update criteria can help you make security a more organic and seamless part of your everyday schedule. The PCI Security Standards Council states that the intent of these updates is primarily to establish “security processes that help prevent, detect and respond to attacks that can lead to data loss.”
How Can You Prepare for Your Next PCI DSS 3.2 Assessment with the 2018 Changes in Mind?
Regular daily adherence is the first step toward preparing for your first assessment after the June 30, 2018 official PCI DSS 3.2 update enforcement date, but you can definitely do more to put yourself in position for superior results.
Protect Your Cardholder Data Against External Threats
The PCI DSS 3.2 updates offer you even more tools to protect your system against external threats that can result in data theft, so use them. Strictly enforce the multi-factor authentication requirements, upgrade your SSL and TSL 1.0 to the minimum new layer of protection, adhere to DESV requirements and rules regarding displaying card numbers, and perform regular penetration testing for crucial compliance and protection.
Protect Your Cardholder Data Against Internal Threats
While it is not a topic any organization likes to imagine, sometimes the enemy is within. A hacker may apply to your company as wolf in sheep’s clothing, so it is important to properly vet employees who will work with sensitive cardholder information.
Rely on the Services of a CPA Firm That Has a Grasp on the PCI DSS 3.2 Update
At I.S. Partners, LLC., we understand how important protecting your valued customers’ cardholder data is to you. We also understand the wrench that this type of update can throw into your team’s regular tasks. We can help you get up to speed on all the changes, helping you identify any gaps that might compromise your customers’ data.
Contact us by sending us a message or calling us at 215-675-1400 so we can help you prepare for the official June 30, 2018 PCI DSS 3.2 changes so you can feel confident that you are in compliance from the first day and forward.