PCI DSS version 3.2 contains substantial changes for payment card processors and their service providers

Robinson+Cole Data Privacy + Security Insider
Contact
LinkedIn
Facebook
X
Send
Embed

In April, 2016, the Payment Card Industry Security Standards Council published a new version of the PCI Data Security Standard (PCI DSS).  PCI DSS Version 3.2 is intended to emphasize the importance of validating the existence and testing effectiveness of security controls for parties in the payment card collection and processing chain. The changes are essentially in two areas, those that apply to primary parties, and controls for service providers designated under the PCI-DSS Standard.

For primary parties, the most significant change relates to multi-factor authentication. Previously, PCI DSS required untrusted, remote access into systems that are part of the cardholder data environment to use two-factor authentication. Under PCI DSS 3.2, multi-factor authentication is required for users with ‘administrator’ access to the cardholder data environment.  The change to the term “multi-factor” recognizes that organizations may choose higher security standards. The more important aspect of the change is that internal systems require re-architecture to provide multi-factor authentication as part of the authentication process. This means that a password will no longer be enough to verify most user’s identity and grant access to the systems in scope of the Standard.

Service providers, as designated under the Designated Entities Supplemental Validation (the “DESV) appendix to the PCI DSS Standard, have a new set of requirements. The new requirements include: maintaining a documented description of the service provider’s cryptographic architecture, reporting on failures of critical security control systems, and formalizing executive management responsibility for protection of cardholder data and the PCI DSS compliance program. Entities that are not designated service providers, but may touch on a part of the overall cardholder environment, are recommended to comply with the DESV as well.

The new requirements under PCI DSS 3.2 are considered best practices until January 31, 2018, at which time they will be mandatory.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider
Robinson+Cole Data Privacy + Security Insider
Contact
more
less

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide