The Payment Card Industry Data Security Standard known as PCI DSS 3.2 affects all merchants who accept credit card payments from Visa, MasterCard, Discover, and American Express.
PCI DSS 3.2 provides stronger security measures for consumers. This has become necessary because of the rise in the number of cyber-attacks.
PCI DSS 3.2 is a highly detailed document that contains 12 requirements for safeguarding the information of cardholders.
Preventing security breaches
A new annual application- and network-level assessment determines whether devices and systems connected to the Internet have certain vulnerabilities that hackers might use to obtain important cardholder information. If properly implemented, these standards will better safeguard everyone’s financial information.
Though this process can be tedious, it’s important to complete it correctly and on a regular basis. Penetration testing and vulnerability assessment scans are required every three months. Independent audits may also be required, along with periodic scans. Some of these requirements only pertain to businesses that do a larger volume of cardholder transactions. In addition, scans must be completed by an “approved” company.
The PCI DSS Self-Assessment Questionnaire evaluates a service provider or merchant’s compliance with those items listed in the document. If weaknesses are identified, the Questionnaire also includes recommendations for bringing the security controls up to full compliance level.
Below are a few of the updated controls, including new changes to regulations:
Control 3.3 – Changes in wording
This control will be used by merchants and service providers. Changes in wording to control 3.3 provide greater detail as to how a Credit Card Number or Primary Account Number (PAN) is displayed. Typically, only the first six and last four digits of a credit card number should be displayed. If personnel have a legitimate need to see the entire credit card number, then they are allowed to view it.
Control 3.5.1 – Encryption architecture documentation
This control pertains to service providers and it regulates the use of protocols, algorithms, and keys used in protecting card data. It includes card expiration dates and key strengths. Documentation must include a description of any hardware security modules (HSMs), all protocols, and a description of the cryptographic keys used.
Control 6.4.6 – Verifying PCI DSS requirements on new and modified networks
This control will be used by merchants and service providers. It mandates that all requirements of PCI DSS be implemented in new or modified networks and that these changes be verified. Though this normally is completed by personnel anyway, the new control requires employees to examine records, observe affected systems and interview staff to make sure the applicable PCI DSS requirements were correctly implemented.
Control 8.3.1 Multiple authentication factors for CDEs
In the previous version of PCI DSS, a two-factor authentication process was required. These new standards require “multiple” authentication factors. Though the control does not stipulate how many are required, by changing the terminology from “two-factor” to “multiple”, it is clear that at least three types of authentication should be utilized in the cardholder data environment (CDE).
Control 10.8 – Periodic reporting and detection of system failures
This control is applicable to service providers. It spells out the application process for fault detection, as well as the creation of regular periodic reports. Reports should cover all critical security control systems. These include anti-virus programs, firewalls, FIM, IDS/IPS, logical access controls, physical access controls, segmentation controls, audit logging mechanisms, and others.
Control 10.8.1 – Response to security incidents
This control is applicable to service providers. It mandates that companies have an efficient plan for responding to any breaches or failures. The exact failure and cause (if possible) will be determined and documented. Remedial actions should be taken at once. Managers and directors should determine if any further actions in response to the breach are necessary. New deterrents should be put in place to prevent this type of breach from occurring again.
Control 126.96.36.199 – Tests of constant intrusions
This control is applicable to service providers. It requires that intrusion tests be carried out every six months whenever segmentation of environments are used.
Control 12.11 – Security policy reviews
This control is applicable to service providers only. It requires that all security policies be reviewed every three months to determine whether personnel are following the rules and procedures. These reviews should include firewall rules, daily logs, responses to security events, changes to management procedures and any other items regarding system security.
Control 12.11.1 – Maintain quarterly review documentation
This control is applicable to service providers only and it stipulates that the regular quarterly review is effectively documented. The person in charge of implementing the PCI DSS compliance program at your company must sign off on these reviews.
Restoring public trust
These are just a few of the new PCI DSS rules and regulations. All changes were the result of an ongoing effort by the Payment Card Industry Data Security Standard to reduce data breaches and ensure the public’s trust. The 3.2 version contains eight evolving requirements, 47 clarifications, and three additional guidance points.
For a full listing of all the new PCI DSS 3.2 requirements, please visit: PCISecurityStandards.org.