Responding to the increasingly significant threats to customer payment information, the Payment Card Industry Security Standards Council (‘PCI SSC’) has published an update to its data security standard (‘PCI DSS’). Version 3.2 seeks to protect cardholder data by introducing:

  • A requirement of multi-factor authentication for any personnel with administrative access to cardholder data environments
  • New dates to migrate from Secure Sockets Layer (‘SSL’) and early Transport Layer Security (‘TLS’) communication protocols to a more secure, recent version of TLS
  • Additional responsibilities on service providers that hold their customers’ cardholder data, including:
    • To maintain a documented description of the cryptographic architecture
    • To detect and report on failures of critical security control systems
    • To include PCI DSS requirement verification in change management processes
    • To perform various tests and reviews periodically
    • To have executive management establish responsibility for protection of cardholder data and the PCI DSS compliance program
  • Certain requirements from the Designated Entities Supplemental Validation (‘DESV’ – a set of criteria that help entities overcome issues relating to the protection of payments). From ensuring effective oversight of compliance programs to the detection of failures in critical security controls, these requirements are more extensive for service providers than other entities.

The change requiring multi-factor authentication forms one of the biggest changes of the update.  Multi-factor authentication will require the introduction of a layered approach to granting access to systems that contain cardholder data, with each layer containing different categories of evidence and verification. New requirements for multi-factor authentication require: knowledge (i.e., a password); possession (for example, a security token); and/or the user’s own physical characteristics (i.e., biometric data).

Organisations should seek to adopt the new requirements as soon as practicable as a way of helping to prevent cyber incidents, even though the PCI SSC implementation period expires 1 February 2018. Although this update comes only a year after version 3.1, these continued and unrelenting efforts made by the PCI SSC illustrate the severity and changing nature of the security threats to cardholder data.