What You Need to Know about PCI DSS 3.2
February 13, 2018 By Christopher George
The Payment Card Industry Data Security Standard (PCI DSS) published by the Payment Card Industry Security Standards Council (PCS SSC) is a set of regulations businesses must use to safeguard the financial and personal data of their customers throughout every point of a transaction. In response to the increase in payment information threats, version 3.2 of the PCI DSS is in full effect.
PCI DSS is now recognized as a standard that can be updated with small revisions, rather than only when significant changes take place. Originally released in 2016, Version 3.2 has been considered a set of best practices as a way to help businesses balance meeting compliance measures with operational reality; however, these requirements are now mandatory as of February 1, 2018.
Here is a summary of some key points that companies who accept, process or receive payment information from customers must have in place to ensure PCI DSS Version 3.2 compliance standards are met.
New Requirements for Merchants and Service Providers
- When installing new systems and networks, or making significant changes to those that already exist, PCI DSS controls must be immediately implemented. Documentation must also be provided as proof that requirements are being met.
- Multi-factor authentication is required for all personnel with administrator access to the cardholder data environment (CDE). This authentication can be implemented at network level or system level, and is necessary only for non-console access.
New Requirements for Service Providers Only
- Service providers are required to maintain documentation that details the algorithms, protocols and keys used to protect cardholder data. This documentation must include the key strength and expiration date, description of usage or each key and inventory of tools used for key management. This will provide easier detection of lost or missing keys or management devices, and identify unauthorized additions.
- Companies must implement a process that allows them to quickly detect and report the failure of critical-control systems such as firewalls, anti-virus software, physical-access controls and audit logging. For example, a firewall that goes offline is considered a failure and must be properly reported.
In the event of one of these failures, it is necessary that action be taken in a timely manner to restore security functions, as well as performing a risk assessment to determine what further action may be needed. Documentation that includes the cause of the failure, its duration and any other issues that may have occurred is also required.
- Providers who use segmentation must meet compliance mandates by performing penetration testing on security controls every six months, as well as after any changes are made. Frequent validation ensures PCI DSS compliance remains current and in line with changing business objectives.
- Responsibility for the protection of cardholder data and PCI DSS compliance must be clearly established by executive management. This outline of responsibility ensures executives have a compliance program roadmap and the opportunity to determine the effectiveness of the plan.
Compliance reviews should be conducted on a quarterly basis and include daily log reviews, firewall rules, configuration standards of new systems, response to security alerts and change management processes. These reviews help prepare organizations for their next PCI DSS assessment by ensuring adherence to security policies and procedures, and act as a confirmation that systems are performing as intended. Documentation of the quarterly-review results must be signed off by the personnel responsible for the compliance program and maintained by the company.
In navigating the maze of new and changing requirements of standards such as PCI DSS and HIPAA, many steps in the process can be inadvertently overlooked. Your organization needs a multi-layered security solution, along with proven strategies and expertise to maintain compliance. Without the proper guidance and plans in place, you face millions of dollars in fines that could put your entire business at risk.
Protelligent’s Premonition Security Suite™ can help your organization keep up with mandatory changes and improve your operational efficiency. Call (855) PRO-TELL today to get started.
Note: The above information is a summary of the major changes to the requirements included in PCI DSS version 3.2, and is not a comprehensive overview of all updates. We advise organizations always refer directly to the original publication to ensure they are in compliance with the latest requirements and security assessment procedures.
Recent Posts
Archives
- August 2020 (1)
- July 2020 (1)
- June 2020 (1)
- May 2020 (1)
- April 2020 (1)
- March 2020 (1)
- February 2020 (1)
- January 2020 (1)
- December 2019 (1)
- November 2019 (1)
- October 2019 (1)
- September 2019 (2)
- July 2019 (1)
- June 2019 (3)
- April 2019 (1)
- March 2019 (1)
- February 2019 (1)
- January 2019 (1)
- December 2018 (1)
- November 2018 (1)
- October 2018 (1)
- September 2018 (1)
- August 2018 (1)
- May 2018 (1)
- March 2018 (1)
- February 2018 (1)
- January 2018 (2)
- December 2017 (2)
- November 2017 (3)
- October 2017 (3)
- September 2017 (2)
- August 2017 (3)
- July 2017 (2)
- June 2017 (5)
- May 2017 (7)
- April 2017 (5)
- March 2017 (5)
- February 2017 (1)
- January 2017 (5)
- December 2016 (1)
- October 2016 (4)
- September 2016 (1)
- August 2016 (3)
- July 2016 (1)
- June 2016 (1)
- May 2016 (1)
- April 2016 (1)
- November 2014 (1)
- July 2014 (2)
- June 2014 (1)
- May 2014 (3)
- April 2014 (3)
- March 2014 (1)
- February 2014 (2)
- January 2014 (3)
- December 2013 (1)
- November 2013 (4)
Categories
- Community (19)
- Cloud (18)
- IT (16)
- cloud backup (16)
- cybersecurity (15)
- cloud backup data recovery (9)
- cloud computing (8)
- clouddr (8)
- it security (8)
- cloud storage (7)
- data security (7)
- AWS (6)
- Education (6)
- cloud services (6)
- Giving Back (3)
- cloud restoration (3)
- compliance (3)
- data (3)
- assessment (2)
- business (2)
- chief information officer (2)
- client satisfaction (2)
- cloud data recover (2)
- cloud dr (2)
- critical power exchange (2)
- cyber (2)
- cyber responsibility (2)
- data recover (2)
- datacenter (2)
- duo security (2)
- end-to-end encryption (2)
- hackers (2)
- holiday season (2)
- internet (2)
- storage (2)
- 2019 goals (1)
- Android (1)
- Arts (1)
- Business Continuity (1)
- CASBO (1)
- Cisco Cloud Web Security (1)
- Cisco Security Intelligence Operations (1)
- Custom Design (1)
- Graphics (1)
- Protelligent (1)
- Virus (1)
- account protection (1)
- advanced persistent threats (1)
- alien vault technology (1)
- alienvault technology (1)
- antivirus program (1)
- antivirus software (1)
- apis (1)
- apt (1)
- attachment (1)
- attack (1)
- automatic updates (1)
- awareness (1)
- backup (1)
- benefits (1)
- best practices (1)
- bot-driven attacks (1)
- bring your own device (1)
- bug (1)
- business growth (1)
- byod (1)
- california joint powers insurance authority (1)
- california jpia (1)
- check cashing (1)
- cisco (1)
- cjpia (1)
- client testimonial (1)
- cloud backup vs cloud storage (1)
- cloud computing services (1)
- cloud conversion (1)
- cloud migration (1)
- cloud recovery (1)
- community link consulting (1)
- compliance program (1)
- compliance regulations (1)
- computer science (1)
- computer security (1)
- computers (1)
- contain attacks (1)
- cost of cybercrime (1)
- cost of data breach study (1)
- critical power (1)
- critical power products & services (1)
- customer testimonial (1)
- customer testimonial video (1)
- cyber liability (1)
- cyber-threat (1)
- cybercrimes (1)
- cybercriminals (1)
- cybersecurity program (1)
- data access (1)
- data breach (1)
- data breach protection (1)
- data center (1)
- data encryption (1)