The Payment Card Industry Security Standards Council has issued an update to the Payment Card Industry Data Security Standard (PCI DSS) to provide greater clarity on new requirements.
One of the few changes in PCI DSS version 3.2 is the requirement of multifactor authentication for administrators accessing the cardholder data environment, whereas in the past the standard called for the use of multifactor authentication only for remote access to the cardholder data environment from untrusted networks.
In order to prepare for this change the PCI council said organisations should review how they are currently managing authentication into their cardholder data environment.
They must also review the current administrator roles and identify where changes to authentication may be affected by the new requirement.
The new version will replace version 3.1 which expires on the 31st October, however the Security Standards Council said that companies that accept, process or receive payments should take on the new version as soon as possible to prevent, detect and respond to cyber attacks.
All requirements introduced in the next version will be effective from the 1st February 2018 allowing merchants nine months to make any necessary changes to ensure they remain PCI DSS compliant.
PCI Council general manager, Stephen Orfei, said: “The payments industry recognises PCI DSS as a mature standard, so the primary changes in version 3.2 are clarifications on requirements that help organisations confirm that critical data security controls remain in place throughout the year, and that they are effectively tested as part of the ongoing security monitoring process.
“This includes new requirements for administrators and service providers, and the cardholder data environments they are responsible to protect. PCI DSS 3.2 advocates that organisations focus on people, process and policy, with technology playing an important role in reducing the overall cardholder data footprint.”
View Internet News Archive