The Payment Card Industry Data Security Standard (PCI DSS) published by the Payment Card Industry Security Standards Council (PCS SSC) is a set of regulations businesses must use to safeguard the financial and personal data of their customers throughout every point of a transaction. In response to the increase in payment information threats, version 3.2 of the PCI DSS is in full effect.
PCI DSS is now recognized as a standard that can be updated with small revisions, rather than only when significant changes take place. Originally released in 2016, Version 3.2 has been considered a set of best practices as a way to help businesses balance meeting compliance measures with operational reality; however, these requirements are now mandatory as of February 1, 2018.
Here is a summary of some key points that companies who accept, process or receive payment information from customers must have in place to ensure PCI DSS Version 3.2 compliance standards are met.
New Requirements for Merchants and Service Providers
- When installing new systems and networks, or making significant changes to those that already exist, PCI DSS controls must be immediately implemented. Documentation must also be provided as proof that requirements are being met.
- Multi-factor authentication is required for all personnel with administrator access to the cardholder data environment (CDE). This authentication can be implemented at network level or system level, and is necessary only for non-console access.
New Requirements for Service Providers Only
- Service providers are required to maintain documentation that details the algorithms, protocols and keys used to protect cardholder data. This documentation must include the key strength and expiration date, description of usage or each key and inventory of tools used for key management. This will provide easier detection of lost or missing keys or management devices, and identify unauthorized additions.
- Companies must implement a process that allows them to quickly detect and report the failure of critical-control systems such as firewalls, anti-virus software, physical-access controls and audit logging. For example, a firewall that goes offline is considered a failure and must be properly reported.
In the event of one of these failures, it is necessary that action be taken in a timely manner to restore security functions, as well as performing a risk assessment to determine what further action may be needed. Documentation that includes the cause of the failure, its duration and any other issues that may have occurred is also required.
- Providers who use segmentation must meet compliance mandates by performing penetration testing on security controls every six months, as well as after any changes are made. Frequent validation ensures PCI DSS compliance remains current and in line with changing business objectives.
- Responsibility for the protection of cardholder data and PCI DSS compliance must be clearly established by executive management. This outline of responsibility ensures executives have a compliance program roadmap and the opportunity to determine the effectiveness of the plan.
Compliance reviews should be conducted on a quarterly basis and include daily log reviews, firewall rules, configuration standards of new systems, response to security alerts and change management processes. These reviews help prepare organizations for their next PCI DSS assessment by ensuring adherence to security policies and procedures, and act as a confirmation that systems are performing as intended. Documentation of the quarterly-review results must be signed off by the personnel responsible for the compliance program and maintained by the company.
In navigating the maze of new and changing requirements of standards such as PCI DSS and HIPAA, many steps in the process can be inadvertently overlooked. Your organization needs a multi-layered security solution, along with proven strategies and expertise to maintain compliance. Without the proper guidance and plans in place, you face millions of dollars in fines that could put your entire business at risk.
Protelligent’s Premonition Security Suite™ can help your organization keep up with mandatory changes and improve your operational efficiency. Call (855) PRO-TELL today to get started.
Note: The above information is a summary of the major changes to the requirements included in PCI DSS version 3.2, and is not a comprehensive overview of all updates. We advise organizations always refer directly to the original publication to ensure they are in compliance with the latest requirements and security assessment procedures.