PCI DSS Changes to Be Enforced in 2018: Are you ready?
By Jack Dempsey
The Payment Card Industry Data Security Standard (PCI DSS) is a security standard for merchants and service providers that process, store or transmit credit card information. Forward dated PCI DSS changes in Version 3.2 of the DSS requiring increased network security will be enforced in 2018. Are you ready?
The most important change to the standards will be enforced beginning July 1, 2018. That’s when merchants and service providers must discontinue support for the Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) cryptographic protocols. Although the protocols once provided the basis of secure network communications, they have been compromised and are no longer considered secure.
The PCI Security Standards Council website stresses the dangers that SSL and early TLS pose to merchants and providers:
- There are many serious vulnerabilities in SSL and early TLS that, left unaddressed, put organizations at risk of being breached. The widespread POODLE and BEAST exploits are just a couple examples of how attackers have taken advantage of weaknesses in SSL and early TLS to compromise organizations.
- According to NIST, there are no fixes or patches that can adequately repair SSL or early TLS. Therefore, it is critically important that organizations upgrade to a secure alternative as soon as possible, and disable any fallback to both SSL and early TLS.
Not upgrading to more secure protocols can put your ecommerce business at serious risk for a security breach. There are other important changes in the standards that will go into effect on Feb. 1, 2018, for merchants and service providers:
- Requirement 6.4.6 — Change management implementation and documentation
- Requirement 8.3.1 — Multi-factor authentication for any admin access to the CDE
We see many organizations starting to use jump servers to centralize access and as a place to locate the multi-factor authentication mechanism. Use of a jump server can also be used to reduce the scope of the PCI DSS assessment.
The rest of the changes going into effect on Feb. 1, 2018, are for service providers only:
- Requirement 3.5.1 — Documented cryptographic architecture
- Requirement 10.8 —Detection and reporting of critical security controls failure
- Requirement 10.8.1 —Respond and document failures of any critical security controls
- Requirement 22.214.171.124 — Six-month penetration testing of segmentation controls
- Requirement 12.4.1 — Assign responsibility for PCI DSS compliance and create a PCI DSS charter
- Requirement 12.11.a —Six-month management review of policy and process compliance
- Requirement 12.11.1 —Documentation of the six-month management review
For more information about the PCI DSS changes coming in 2018, watch our video explaining each and how they could affect you.
To learn about Sword & Shield’s PCI Council-recognized expertise, read about our acknowledgement for contribution to the PCI DSS.
Sword & Shield specializes in security, risk and compliance assessment, managed security services, enterprise security consulting, security incident response and forensics, and technical solutions.