In April, 2016, the Payment Card Industry Security Standards Council published a new version of the PCI Data Security Standard (PCI DSS). PCI DSS Version 3.2 is intended to emphasize the importance of validating the existence and testing effectiveness of security controls for parties in the payment card collection and processing chain. The changes are essentially in two areas, those that apply to primary parties, and controls for service providers designated under the PCI-DSS Standard.
For primary parties, the most significant change relates to multi-factor authentication. Previously, PCI DSS required untrusted, remote access into systems that are part of the cardholder data environment to use two-factor authentication. Under PCI DSS 3.2, multi-factor authentication is required for users with ‘administrator’ access to the cardholder data environment. The change to the term “multi-factor” recognizes that organizations may choose higher security standards. The more important aspect of the change is that internal systems require re-architecture to provide multi-factor authentication as part of the authentication process. This means that a password will no longer be enough to verify most user’s identity and grant access to the systems in scope of the Standard.
Service providers, as designated under the Designated Entities Supplemental Validation (the “DESV) appendix to the PCI DSS Standard, have a new set of requirements. The new requirements include: maintaining a documented description of the service provider’s cryptographic architecture, reporting on failures of critical security control systems, and formalizing executive management responsibility for protection of cardholder data and the PCI DSS compliance program. Entities that are not designated service providers, but may touch on a part of the overall cardholder environment, are recommended to comply with the DESV as well.
The new requirements under PCI DSS 3.2 are considered best practices until January 31, 2018, at which time they will be mandatory.