January 31, 2018 marked the date that all new requirements introduced in PCI DSS version 3.2 must be adopted by organizations and included in their PCI DSS assessment. Be aware that a minor revision to this version is already planned for mid-2018, which comes into force in 2019. We will explain all this below.
No need to worry
PCI DSS has always encouraged the implementation of security good practices in order to increase the information security. If you have incorporated this practice into your company, it will not be difficult to include these new requirements on time.
For Merchant and services providers, the new requirements are the following:
In order to be compliance with this requirement we recommend to specify a clear definition of the concept of “significant change” in order to identify it and when this event occurs, it is clear that the procedure must be followed.
The PCI Council does not provide a definition of “significant change” but in the requirement 11.2 suggests that this includes (but is not limited to):
- New installations of system components
- Changes in the network topology
- Modifications of firewall rules
- Software updates
- New web servers
Multi-factor authentication for all non-console administrative access (Requirement 8.3.1)
Surely your business has a multi-factor authentication access to the environment through a VPN, now you must extend this security concept as it is required for all non-console administrative access to the devices of the card environment.
Additional requirements for Services Providers
Maintain a documented description of the cryptographic architecture (Requirement 3.5.1)
Ask for more details about the implemented cryptographic architecture. That information must be added to the key management process.
Detect and respond to failures of critical security control systems (Requirements 10.8 and 10.8.1)
The systems, that used for security control, can fail and if it is not possible to detect, alert and act appropriately for long periods, attackers can have enough time to compromise the systems and steal confidential data from the data environment of the cardholder.
Perform penetration testing on segmentation controls at least every six months (Requirement 184.108.40.206)
If you have implemented segmentation on your network, this requirement tries to validate the PCI DSS scope to ensure It remains up to date and aligned with business objectives. Penetration testing is performed to verify segmentation controls at least every six months and after any changes to segmentation controls/methods.
Establish responsibility for the protection of cardholder data and a PCI DSS compliance program (Requirement 12.4.1)
This requirement aims to have a sponsor within the business that facilitates the implementation and control of PCI requirements. The executive management assignment of PCI DSS compliance responsibilities ensures executive level visibility into the PCI DSS compliance program and allows for the opportunity to ask appropriate questions to determine the effectiveness of the program and influence strategic priorities. Executive management may include C-level positions, a board of directors, or equivalent. The specific titles will depend on the particular organizational structure.
Perform reviews at least quarterly to ensure security policies and procedures are followed (Requirement 12.11 and 12.11.1)
This should be done to confirm whether security activities are being carried out continuously, thus helping the entity prepare for its next PCI DSS evaluation.
Deadline disabling SSL/early TLS is almost here
I take this opportunity to remind you of another important date on 30 June 2018. It is the deadline for disabling SSL/early TLS and implementing a more secure encryption protocol – TLS 1.1 or higher (TLS v1.2 is strongly encouraged) in order to meet the PCI Data Security Standard for safeguarding payment data.
If you incorporate these new requirements you will be ready to comply with the new version of PCI DSS 3.2.1.
For more information, please visit the official PCI website.
About the author:
Natalia Morando is a security professional in PCI and has over 12 years of experience. For more information about PCI please feel free to contact Natalia.