The new revisions, embodied in PCI DSS Version 3.2 (see here), will go live on Oct. 31, 2016. They address multi-factor authentication and compliance monitoring as well as provide numerous clarifications to other unrelated issues (for a complete list, see the PCI Summary of Changes, here).
PCI is the organization that sets/updates debit/credit card security standards and regularly clarifies existing standards to reflect changes in the business and technical landscape. It was founded in 2006 by American Express, Discover, JCB International, MasterCard and Visa Inc. They share equally in its governance and execution of the PCI's activities. The PCI DSS Council revisions discussed here were issued on April 28, 2016.
Below is an overview of each revision.
Multi-Factor Authentication Required For Card Administrators To Access Sensitive Card Data From All Networks
First, the revised rules will require card administrators to use multi-factor authentication to identify themselves when accessing sensitive cardholder data, regardless of whether they are accessing their systems onsite or remotely. Previously, administrators only needed multi-factor authentication when they were on an untrusted network. See Requirement 8.3 and its new subparts (here).
Going forward, this multi-factor requirement will extend to all networks – onsite as well as remote. Troy Leach, PCI Security Standards Council CTO, justified the revision as follows: “We’ve seen an increase in attacks that circumvent a single point of failure, allowing criminals to access systems undetected, and to compromise card data.” He added that “a password alone should not be enough to verify the administrator’s identity and grant access to sensitive information.”
Multi-factor authentication is a method of computer access by which a user is granted access only after correctly presenting several separate pieces of evidence to an authentication mechanism—typically involving at least two of the following categories of information: knowledge (something they know), possession (something they have, such as a card or token), and inherence (something they are, such as biometric characteristics).
By expanding this requirement to cover all networks, PCI seeks to amplify and strengthen all aspects of remote access to sensitive data maintained by merchants and their card processors.
Companies Must Monitor PCI Compliance As A Continuing Practice
Second, the April 2016 update also added criteria that instruct companies to apply and maintain the PCI standards as an continuing practice (specifically requiring reviews at least quarterly – see new Requirement 12.11 and subparts, here), rather than as an annual compliance exercise event associated with an audit or self-assessment.
Leach noted that compliance trends indicate that many organizations view PCI compliance as an annual exercise only, but that it is important for companies to prioritize PCI compliance as an ongoing around-the-clock effort rather than as a “one-off” event.
In this way, companies will be more likely to keep the issue of card data security on the forefront of their security efforts.
Note that the current version of the standards – PCI DSS 3.1 – will expire six months after the release of PCI DSS 3.2 (i.e., on Oct. 31, 2016).
Consequently, all revised/upgraded SAQ forms/procedures included with PCI DSS 3.2 (see here) should be used beginning on Nov. 1, 2016, for all evaluations occurring thereafter. However, these new components of PCI DSS 3.2 will not be a requirement until Feb. 1, 2018, in order to provide companies with sufficient time in which to implement the new standards into their existing systems (from Nov. 1, 2016, to Jan. 31, 2018, they will be “best practices” only).
Accordingly, Drinker Biddle recommends that companies/merchants commence an immediate review of their current authentication protocols and begin to plan to upgrade those systems to comply with the new PCI DSS 3.2 standards on an expeditious basis. With this in mind, it is also critical to build enough time into this process to allow for the proper training of all necessary employees affected by the new procedures (and all affected external processing service providers) to avoid last-minute implementation difficulties and to meet the Feb. 1, 2018, “requirements” deadline.
In addition, as part of this implementation process, companies should modify their current security programs so as to begin to prioritize PCI compliance as an ongoing year-long effort (if they have not yet done so already).