PCI DSS 3.2: What You Need to Know
New multi-factor authentication rules, added service provider regulations and extended migration dates are among the features of the newly-released Payment Card Industry Data Security Standard 3.2 upgrade.
The upgrade, released in late April, spells out some significant changes in how cardholder data is accessed. The move comes as a result of the Verizon 2016 Data Breach Investigations Report that confirms 63 percent of all breaches involved weak, default or stolen passwords.
PCI DSS 3.2 now requires that system administrators who have access to a Cardholder Data Environment (CDE) must use multi-factor authentication. Single-factor authentication for local access is no longer acceptable.
In addition to local access changes, the new regulations also put a heavier burden on service providers. These are the organizations that help merchants store, process or transmit customer data.
PCI DSS 3.2 requires service providers to detect and report on the failing of critical security control systems and to have a penetration test every six months in addition to running quarterly checks to ensure their personnel are following security protocols.
Finally, the new rules extend the time merchants should switch from the less secure Security Sockets Layer (SSL) and early Transport Layer Security (TLS) clients to the more secure version of TLS (currently 1.0 or higher). The transition initially was to be required by July 1 of this year, but the PCI Council pushed back the date to July 1, 2018 to ease the transition.
For more information on the new requirements, please visit the PCI Council’s website.