3 Key Changes to PCI Standards

Multilayered authentication required in new version of data-security rules

WAKEFIELD, Mass. -- The PCI Security Standards Council recently published a 3.2 version of its data-security standard, which addresses growing threats to the security of customer payment information.

PCI data security

The PCI council said companies that accept, process or receive payments should adopt it as soon as possible to prevent, detect and respond to cyberattacks that can lead to breaches. Version 3.1 will expire Oct. 31, 2016.

“The payments industry recognizes PCI DSS (Data Security Standard) as a mature standard, so the primary changes in version 3.2 are clarifications on requirements that help organizations confirm that critical data-security controls remain in place throughout the year, and that they are effectively tested as part of the ongoing security monitoring process,” said Stephen Orfei, general manager for the Wakefield, Mass.-based council. “This includes new requirements for administrators and services providers, and the cardholder-data environments they are responsible to protect. PCI DSS 3.2 advocates that organizations focus on people, process and policy, with technology playing an important role in reducing the overall cardholder-data footprint.”

The update to the standard is part of a regular process for ensuring that PCI DSS addresses current challenges and threats, council officials said in a statement. This process factors in industry feedback from the PCI council’s more than 700 global participating organizations, as well as data-breach report findings and changes in payment acceptance.

“We’ve seen an increase in attacks that circumvent a single point of failure, allowing criminals to access systems undetected and to compromise card data. A significant change in PCI DSS 3.2 includes multifactor authentication as a requirement for any personnel with administrative access into environments handling card data," said Troy Leach, CTO of the council. "Previously, this requirement applied only to remote access from untrusted networks. A password alone should not be enough to verify the administrator’s identity and grant access to sensitive information."

Also, service providers, specifically those that aggregate large amounts of card data, continue to be at risk, Leach said. "PCI DSS 3.2 includes a number of updates to help these entities demonstrate that good security practices are active and effective,” he said.

Key changes in PCI DSS 3.2 include:

  • Revised Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) sunset dates, as outlined in the "Bulletin on Migrating from SSL and Early TLS."
  • Expansion of requirement 8.3 to include use of multifactor authentication for administrators accessing the cardholder-data environment.
  • Additional security validation steps for service providers and others, including the “Designated Entities Supplemental Validation” (DESV) criteria, which was previously a separate document.

For a full copy of the new PCI Data Security Standard version 3.2, including a summary of changes document, click here. Leach said, “Moving forward, we expect incremental revisions like those in version 3.2 to address evolving threats to the payment landscape, with a focus on helping companies use this standard as a good framework for everyday security and best practice.”

The PCI Security Standards Council is a global forum that is responsible for the development, management, education and awareness of PCI DSS and other standards that increase payment-data security.

Want breaking news at your fingertips?

Get today’s need-to-know convenience industry intelligence. Sign up to receive texts from CSP on news and insights that matter to your brand.


More from our partners