PCI DSS 3.2 - Essential Changes You Should Know
The Payment Card Industry Security Standards Council (PCI SSC) has started enforcing PCI Data Security Standard (PCI DSS) version 3.2 in February 2018. What are the major changes compared to the last version and what do you need to know to stay compliant?
What Is PCI DSS 3.2?
PCI DSS is created to protect payment cardholders' information and facilitate the broad adoption of consistent data security measures globally. PCI DSS 3.2 is the latest version of this set of requirements, which applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers and service providers. It covers the following areas:
- Build and maintain secure networks and systems
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
How Does PCI DSS 3.2 Differ From PCI DSS?
Here are the significant updates made to PCI DSS 3.2 and how they should be implemented:
The inclusion of the PCI DSS Supplemental Designated Entities Validation (DESV) criteria in PCI DSS 3.2 is to ensure that PCI DSS security controls are continuously monitored and enforced, rather than being treated as a periodic (or annual) validation exercise.
As more technology initiatives are deployed iteratively, the environment in which cardholder data is processed and stored often changes multiple times during the course of the year. As such, a yearly (or even quarterly) evaluation is no longer sufficient to ensure the security of such environment.
PCI DSS 3.2 requires a security validation practice be built into change management processes to ensure that device inventories, configuration standards and security measurements are kept up-to-date throughout any iterative process.
Detection and Reporting on Failures
PCI DSS 3.2 requires corporations to create a formal procedure for detecting and reporting critical security control failures. This is important because the longer it takes to identify a security breach, the more time criminals have to compromise a system and steal sensitive cardholder information.
This new requirement is only applicable to service providers; however, all organizations are encouraged to apply aspects of this control to improve their security hygiene.
PCI DSS 3.2 requires service providers to perform penetration tests every six months (instead of every 12 months as required by the previous version) to demonstrate that their segment environments are completely isolated. A six-month interval is the minimum requirement, and corporations are encouraged to validate the effectiveness of their segmentation efforts as frequently as possible.
Segmentation of the data environment is one of the most important controls in PCI DSS, and this update emphasizes the importance of frequent testing to ensure that security controls are functioning as intended at all times.
A PCI DSS Compliance Program
The latest PCI DSS version requires the creation of a PCI DSS compliance program that offers executive visibility to help leadership respond effectively to changes involved in the development of payment card security. It ensures that the protection of cardholder data becomes an integral part of a corporation's business operation.
Under this requirement, a PCI DSS program should be established and either an individual or a business unit will be assigned the responsibility of overseeing the organization's compliance measures.
While multi-factor authentication is already needed for remote access in PCI DSS, the update now requires any personnel with non-console administrative access to any system that handles card data to use two or more technologies (e.g., token, smart card, biometrics) for verifying their identities and gaining access to sensitive information.
Quarterly Security Reviews
PCI DSS 3.2 requires service providers to perform quarterly reviews to confirm that security policies and operational procedures are being followed within the organization on a continuous basis.
Corporations should use these reviews to verify that appropriate evidence, such as audit logs, vulnerability scan reports, firewall reviews, etc., is properly maintained. In addition, such a process will help facilitate the preparation for subsequent PCI DSS assessments.
Promote Data Security by Staying Compliant
As technologies evolve, there are more moving parts in the handling of cardholder information. It's imperative that all environments are secured against any potential breach. The main changes in the latest version of PCI DSS are designed to ensure that security measures are implemented and validated as an ongoing practice throughout an organization.
When it comes to security, 8x8 provides reliable and compliant cloud solutions at a demanding level rarely seen by other cloud providers. Don't take your chances with a subpar cloud-based telecom system. Call 1-866-879-8647 or fill out our online form to request a no-obligation quote from an 8x8 Product Specialist.