PCI Standard Adds Multi-Factor Authentication Requirements

The PCI Security Standards Council (PCI SSC) has published a new version of its data security standard (DSS), used to safeguard payment data before, during and after a purchase is made. PCI DSS version 3.2 replaces version 3.1, which will expire on Oct. 31.

One significant change in PCI DSS 3.2 is that it includes multi-factor authentication as a requirement for any personnel with administrative access into environments handling card data. Previously this requirement applied only to remote access from untrusted networks.

“A password alone should not be enough to verify the administrator’s identity and grant access to sensitive information,” said PCI Security Standards Council CTO Troy Leach. “We’ve seen an increase in attacks that circumvent a single point of failure, allowing criminals to access systems undetected and to compromise card data.”

Additionally, service providers, specifically those that aggregate large amounts of card data, continue to be at risk. PCI DSS 3.2 includes a number of updates to help these entities demonstrate that good security practices are active and effective. This includes new requirement 6.4.6, which mandates that organizations ensure security controls are in place following a change in their cardholder data environment. Building this validation into change management processes helps ensure that device inventories and configuration standards are kept up to date and security controls are applied where needed.

Also, new requirements 10.8 and 10.8.1 outline that service providers need to detect and report on failures of critical security control systems, and new requirement indicates that service providers need to perform penetration testing on segmentation controls every six months. Previously, it was required at least annually for all entities to demonstrate that their segmented environment was truly isolated.

The update also has added the PCI DSS Supplemental Designated Entities Validation (DESV) criteria as an appendix to the standard, as well as expanded a few existing PCI DSS requirements (3, 10, 11, 12) to include DESV controls for service providers specifically.

“The payments industry recognizes PCI DSS as a mature standard, so the primary changes in version 3.2 are clarifications on requirements that help organizations confirm that critical data security controls remain in place throughout the year, and that they are effectively tested as part of the ongoing security monitoring process,” said PCI Security Standards Council GM Stephen Orfei. “This includes new requirements for administrators and services providers, and the cardholder data environments they are responsible to protect. PCI DSS 3.2 advocates that organizations focus on people, process and policy, with technology playing an important role in reducing the overall cardholder data footprint.”

The update to the standard is part of the regular process for ensuring the PCI DSS addresses current challenges and threats. This process factors in industry feedback from the PCI Council’s more than 700 global participating organizations, as well as data breach report findings and changes in payment acceptance.

Added Leach, “Moving forward, we expect incremental revisions like those in version 3.2 to address evolving threats to the payment landscape, with a focus on helping companies use this standard as a good framework for everyday security and business best practice.”

Photo © nobeastsofferce

What’s Hot on Infosecurity Magazine?