Three Highlights for Merchants in the new PCI DSS 3.2

You have other things you’d rather read than 100+ pages of PCI requirements

The PCI Security Standards Council released the newest version of the PCI Data Security Standard version 3.2 on Thursday.

Since today is Friday we’ll keep it light and easy with three important highlights for merchants:

“All processing and third party entities — including Acquirers, Processors, Gateways and Service Providers must
 
provide a TLS 1.1 or greater service offering by June 2016.”

PayPal, Authorize.Net, and others will be switching over to require TLS 1.1. Have you verified that your application works with TLS 1.1 or greater? We have found some issues with e-commerce sites running on Magento, Drupal, and WordPress to have an issue with TLS 1.1 requiring modifications to the code. Contact us to help you verify that your site will be ready.

11.5.a: “Removed ‘within the cardholder data environment’ from testing procedure for consistency with requirement, as requirement may apply to critical systems located outside the designated CDE. “

All critical systems inside and outside the CDE (cardholder data environment; the systems/networks that touch credit card data) must now have file-integrity monitoring. That means your website even if it doesn’t touch credit card data because the website is critical to your business. SAQ A compliance just became more difficult to achieve.

“Expanded Requirement 8.3 into subrequirements, to require multi-factor authentication for all personnel with non-console administrative access, and all personnel with remote access to the CDE.”

The big one for both service providers and merchants. Multi-factor authentication (MFA) means you use two means of authentication to access an account. For an example, see our previous article on MFA with WordPress using a YubiKey. If your application does touch credit card data all user accounts that can affect the security of the environment will need MFA as well.

This includes your website’s admin interface, your hosting company’s control panel, DNS control panel, and so on. It may be that if it’s too challenging to add MFA to an application that the provider will require access via a VPN that uses MFA instead. I encourage MFA to be employed everywhere possible.

Dates to add to your calendar and work towards:

  • PCI DSS 3.1 will retire on 31 October 2016, and after this time all assessments will need to use version 3.2.
  • Between now and 31 October 2016, either PCI DSS 3.1 or 3.2 may be used for PCI DSS assessments.
  • The new requirements introduced in PCI DSS 3.2 are considered best practices until 31 January 2018.
  • Starting 1 February 2018 they are effective as requirements and must be used.

Need help with becoming or remaining PCI compliant? Don’t wait and contact us today.


Originally published at www.endertechnology.com on April 30, 2016.