No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights

What You Need to Know about the New PCI Standard

by Jeffrey Sanchez
November 10, 2016
in Uncategorized
Updates to payment card data security standard to affect compliance

In April 2015, the Payment Card Industry Security Standards Council (PCI SSC) released PCI Data Security Standard (PCI DSS) version 3.2, the latest update of the widely accepted policies and procedures governing the security of credit, debit and cash card transactions and protecting cardholders from the misuse of personal information. This version becomes the official standard on November 1, 2016.

As with every prior release, version 3.2 includes many minor clarifications and clerical changes. But there are also some significant changes for which new processes or additional technologies will need to be deployed. And while some of the requirements of the new standard won’t become effective until 2018, these changes may take months or years to implement, so many organizations could find themselves out of compliance for an extended period, due to the complexity and detail of the work required.

Major Changes

These are changes affecting all merchants, for which new processes or additional technologies may need to be deployed:

#1: Multi-factor authentication

(The term “multi-factor authentication” replaces “two-factor authentication.”) Effective immediately, multi-factor authentication (MFA) must be used for all remote access (originating from outside the organization’s network), including users, administrators and third parties. Effective February 1, 2018, multi-factor authentication will be required for all administrative access to the cardholder data environment (CDE), even when connecting from an internal corporate network. Additionally, because many organizations were using internal MFA as a compensating control for other gaps, once MFA becomes a requirement, it is no longer “above and beyond” the standard and therefore doesn’t meet the requirements of a compensating control – thus, a new compensating control will need to be put in place. The latter requirement is the one that may be the most disruptive.

#2: File-integrity monitoring (FIM)

PCI DSS 3.2 removes the phrase “within the cardholder data environment” from the security systems and process testing requirement (11.5.a.). This is a significant change for organizations that do not have FIM or other change-detection solutions deployed on all systems connected to the cardholder environment — point-of-sale or administrative workstations, for example.

#3: Change management

This is an area in which many organizations have had difficulty properly implementing a process and successfully documenting changes. The new requirement (6.4.6) adds steps to existing change management controls. Organizations are now required to verify and document all PCI DSS requirements affected by the change and to verify that they are still being met.

Changes for Service Providers

The following requirements suggest that the PCI Security Standards Council (PCI SSC) is placing an increased emphasis on service provider data controls and compliance — a shift consistent with the trend toward third-party, cloud-based financial technology (fintech). Service providers will need to assess these changes and remediate any gaps.

#4: Security controls monitoring

Service providers are required to monitor and report on failures of critical security systems. Specific failures may vary according to the function of the device or technology in use. Typical failures might include a system ceasing to perform its security function or not functioning in its intended manner; for example, a firewall erasing all its rules or going offline.

Incident response/problem management processes need to be updated as applicable. Critical systems include, but are not limited to:

  • Firewalls
  • Intrusion detection/intrusion prevention
  • FIM
  • Anti-virus
  • Physical access controls
  • Logical access controls
  • Audit-logging mechanisms
  • Segmentation controls (if used)

In addition, the following processes need to be added to the incident response/problem management program:

  • Restoring security functions
  • Identifying and documenting the duration (date and time, start to end) of the security failure
  • Identifying and documenting the cause(s) of failure, including the root cause, and documenting remediation required to address the root cause
  • Identifying and addressing any security issues that arose during the failure
  • Performing a risk assessment to determine whether further actions are required as a result of the security failure
  • Implementing controls to prevent the cause of failure from reoccurring
  • Resuming monitoring of security controls

#5: Executive management responsibility

Service providers are now required to assign PCI compliance responsibility to a C-level executive, board member or individual of comparable authority. While service providers were previously required to have a designated executive sign the attestation of compliance (AOC), version 3.2 formally documents the responsibility.

#6: Operational reviews

Service providers are required to perform quarterly reviews of operational processes. These include but are not limited to:

  • Daily log reviews
  • Firewall rule set reviews
  • Application of configuration standards to new systems
  • Response to security alerts
  • Change management processes

#7: Penetration testing

Service providers are now required to test segmentation controls (if segmentation is used to reduce scope) at least every six months, compared to at least annually in v3.1.

#8: Cryptographic architecture

Service providers are required to create a documented description of the cryptographic architecture used in the CDE. This document must include details of all algorithms, protocols and keys used for the protection of cardholder data, including key strength and expiration date; a description of the usage for each key; and an inventory of any hardware security modules and other secure cryptographic devices used for key management.

Other notable items

Migration from the now-vulnerable Secure Socket Layer (SSL) and early Transport Layer Security (TLS), to a more secure cryptographic encryption cipher has been an area of increasing priority over the past few years. Most organizations should have completed, or at least begun, the process by now. The PCI SSC released a bulletin on this in December 2015, extending the migration cutoff date to June 30, 2018 (previously June 30, 2016). This update is reflected in PCI DSS v3.2.

Also, effective immediately, online merchants who are redirecting customers to third-party payment pages will become subject to a handful of existing PCI DSS controls addressing the potential for vulnerabilities and fraud on the merchant side of the redirect process — including the ability for hackers to change the redirect and capture credit card data. These requirements were already part of the standard but were not previously applicable to merchants using hosted payment pages.

For these merchants, six controls, drawn from PCI DSS Requirement 2 (changing default passwords and implementing an incident response plan) and Requirement 8 (unique user ID and strong password, disabling access for terminated users and not using group or shared passwords) will be added to the Self-Assessment Questionnaire A, which must be completed annually. As controls go, these are pretty light duty — certainly much lighter than the hundreds of controls required of merchants that collect and hold card data. They are easy to address, and they are things merchants should probably already be doing.

Key Dates and Deadlines

 PCI DSS v3.1 was retired on October 31, 2016.

Seven changes have an effective date of February 1, 2018. These changes impact the following requirements:

  • 3.5.1 – Documenting cryptographic architecture
  • 6.4.6 – Assessment of PCI DSS requirements impacted by each change
  • 8.3.1 – Multi-factor authentication for all access to CDE
  • 10.8, 10.8.1 – Detecting and reporting failures in critical security control systems
  • 11.3.4.1 – Penetration testing segmentation controls at least every six months
  • 12.4 – Executive management responsibility for protecting cardholder data
  • 12.11, 12.11.1 – Quarterly reviews of operational processes

Migrating from SSL and early TLS has been pushed to June 30, 2018 although service providers must already offer TLS 1.2 or higher as an option for customers. Newly certified payment applications (under the PCI PA 3.1 or higher standard) cannot use SSL or early TLS.

Finally, organizations should review the summary of changes, downloadable from pcisecuritystandards.org, determine which changes will affect them, conduct a gap analysis and begin developing a remediation plan for compliance. Be on the lookout for any controls that have increased in frequency or controls that now have frequency requirements, as such items are easy to miss.


Tags: Communications ManagementGDPR
Previous Post

Why a Resilient Risk Management and Internal Control Infrastructure Matters

Next Post

AlixPartners Releases Results of 4th Annual Litigation and Compliance Practices Survey

Jeffrey Sanchez

Jeffrey Sanchez

jeff-sanchezJeffrey Sanchez is Managing Director and co-leader of the global PCI practice at Protiviti. He is a Qualified Security Assessor with vast experience in technical consulting and audit, primarily in the retail and consumer products industries. He has authored many articles and papers and conducted numerous technical training courses on network security, privacy, PCI compliance and privacy. For the last 10 years, he has concentrated on information security, privacy consulting and remediation.

Related Posts

gdpr

UK Resurrects Data Protection Reforms, EU Court Rules on GDPR in Civil Cases

by Jonathan Armstrong and André Bywater
March 15, 2023

Recent courtroom and legislative action in Europe will likely have ripple effects around the world for companies subject to regulations...

eu flag

Preparing Your Company for the Latest GDPR Data Transfer Developments & Upcoming Deadlines

by Kevin L. Coy
November 30, 2022

An EU court decision and legislative moves in the U.S. and UK make compliance with privacy regulations increasingly difficult. Arnall...

minidata_b

Honey, I Shrunk the Data: How to Keep Customer Info on a Need-to-Know Basis

by Parker Poe
November 30, 2022

It may be tempting to hoard the data you have gathered on your customers, but an increasing number of regulations...

uk ico data access

UK’s Data Protection Regulator Signals Crackdown on Access Request Violations

by Jonathan Armstrong and André Bywater
October 5, 2022

Data privacy laws in the EU and UK established the right of individuals to find out what personal information organizations...

Next Post
AlixPartners Releases Results of 4th Annual Litigation and Compliance Practices Survey

AlixPartners Releases Results of 4th Annual Litigation and Compliance Practices Survey

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT