The PCI security standards council (PCI SSC) has published an update to its global data security standard. PCI DSS Version 3.2 replaces version 3.1 to address growing threats to customer payment information.
“We’ve seen increase in attacks that circumvent a single point of failure, allowing criminals to
access systems undetected and to compromise card data,” explained Troy Leach, chief technology officer, PCI SSC. “A significant change in PCI DSS 3.2 includes multi-factor authentication as a requirement for any personnel with administrative access into environments handling card data.”
Previously multi-factor authentication was only required for remote access to untrusted networks. But now security is being increased so that a password alone is no longer enough to verify the administrator’s identify and grant access to sensitive information. Other changes include updates for service providers aggregating card data, and provisions around the sunset dates for SSL and early TLS internet security protocols.
“PCI DSS is a mature standard, so the primary changes in version 3.2 are clarifications on requirements that help organisations confirms that critical data security controls remain in place throughout the year, and that they are effectively tested as part of the ongoing security monitoring process,” said Stephen Orfei, general manager, PCI SSC. The council expects future incremental revisions to address evolving threats within the payments and technology landscape.
PCI DSS version 3.1 will expire on 31 October 2016. However all new requirements are best practices until 1 February 2018 to allow organisations to prepare to implement these changes.