PCI DSS Changes to Be Enforced in 2018: Are you ready?

By Jack Dempsey

PCI DSS Changes 2018

The Payment Card Industry Data Security Standard (PCI DSS) is a security standard for merchants and service providers that process, store or transmit credit card information. Forward dated PCI DSS changes in Version 3.2 of the DSS requiring increased network security will be enforced in 2018. Are you ready?

The most important change to the standards will be enforced beginning July 1, 2018. That’s when merchants and service providers must discontinue support for the Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) cryptographic protocols. Although the protocols once provided the basis of secure network communications, they have been compromised and are no longer considered secure.

The PCI Security Standards Council website stresses the dangers that SSL and early TLS pose to merchants and providers:

  • There are many serious vulnerabilities in SSL and early TLS that, left unaddressed, put organizations at risk of being breached. The widespread POODLE and BEAST exploits are just a couple examples of how attackers have taken advantage of weaknesses in SSL and early TLS to compromise organizations.
  • According to NIST, there are no fixes or patches that can adequately repair SSL or early TLS. Therefore, it is critically important that organizations upgrade to a secure alternative as soon as possible, and disable any fallback to both SSL and early TLS.

Not upgrading to more secure protocols can put your ecommerce business at serious risk for a security breach. There are other important changes in the standards that will go into effect on Feb. 1, 2018, for merchants and service providers:

  • Requirement 6.4.6 — Change management implementation and documentation
  • Requirement 8.3.1 — Multi-factor authentication for any admin access to the CDE

We see many organizations starting to use jump servers to centralize access and as a place to locate the multi-factor authentication mechanism. Use of a jump server can also be used to reduce the scope of the PCI DSS assessment.

The rest of the changes going into effect on Feb. 1, 2018, are for service providers only:

  • Requirement 3.5.1 — Documented cryptographic architecture
  • Requirement 10.8 —Detection and reporting of critical security controls failure
  • Requirement 10.8.1 —Respond and document failures of any critical security controls
  • Requirement 11.3.4.1 — Six-month penetration testing of segmentation controls
  • Requirement 12.4.1 — Assign responsibility for PCI DSS compliance and create a PCI DSS charter
  • Requirement 12.11.a —Six-month management review of policy and process compliance
  • Requirement 12.11.1 —Documentation of the six-month management review

For more information about the PCI DSS changes coming in 2018, watch our video explaining each and how they could affect you.

To learn how Sword & Shield can help your business reach PCI DSS compliance, please call us at 865-244-3500 or email at secureme@swordshield.com.


Jack Dempsey headshot bw e1502210344215 - PCI DSS Changes to Be Enforced in 2018: Are you ready?Jack Dempsey is Sword & Shield Enterprise Security’s PCI DSS managing consultant. His primary role is to oversee the company’s PCI program as well as work closely with our PCI customers.

Sword & Shield specializes in security, risk and compliance assessment, managed security services, enterprise security consulting, security incident response and forensics, and technical solutions.


edge security conferenceEDGE Security Conference is an annual event presented by Sword & Shield Enterprise Security, Inc. EDGE2017 is focused on exploring real-world solutions to today’s toughest cybersecurity challenges. To learn more about EDGE2017, visit www.edgesecurityconference.com/.


Comments are closed.