02 Dec 3 Things Business Owners Need to Know About PCI DSS Version 3.2
On November 1, 2016, the Payment Card Industry (PCI) Security Standards Council’s newest set of Data Security Standards (DSS) went into effect. PCI DSS Version 3.2 has made a variety of changes for merchants and Service Providers alike. The language of these changes can be very confusing and some of it doesn’t apply to you, as a merchant and business owner. So, if you are a merchant and business owner, here is what YOU need to know:
1. Expanded Multi-Factor Authentication Requirements (Section 8.3)
You now need to use a “multi-factor” authentication instead of “two-factor” authentication when accessing cardholder data from both local/internal networks, and external/remote networks. The difference between “multi-factor” and “two-factor” authentication is that:
• “two-factor” requires 2 credentials – “multi-factor” requires a “minimum” of 2 credentials
• “multi-factor” requires the credentials to be 2 different forms of authentication. e.g., you cannot use two different passwords. You must you a password and a different form of authentication.
You now need to use at least 2 of these 3 forms of authentication:
• Something you know like a password or passphrase
• Something you have, like a token device or a smart card
• Something you are, like a biometric (fingerprint, etc.)
The change from “two-factor” to “multi-factor” is a “best practice” until January 31, 2018. It will be a requirement after that.
2. Change Control Processes (Section 6.4.6)
You now need to re-verify that PCI DSS requirements are intact after making a “significant” change to the system/network/environment where the cardholder data is store. Examples of things required after a significant change:
• documenting the changes
• checking configurations
• updating documentation like network diagrams
• ensuring that new additions (hardware, applications, etc.) are subject to regular security testing like a monthly vulnerability scan
This change is a “best practice” until January 31, 2018. It will be a requirement after that.
3. Extended migration dates for SSL/early TLS
You now have until June 30, 2018 to replace encryption security protocols of SSL and early TLS (Transport Layer Security). After discovering serious vulnerabilities, the PCI Council originally stated these protocols had to be replaced by June 30, 2016. The deadline is now June 30, 2018. However, organizations using SSL, and early TSL, are required to prepare a form “Risk Mitigation and Migration Plan” in the interim.
BASYS can help
At BASYS Processing we take your safety seriously. We separate ourselves from our competitors by having an in-house PCI Compliance Team of specialists, based at our home office in Lenexa, KS, and thoroughly trained on the latest version of PCI DSS. We pro-actively contact our merchants to walk them through the annual PCI Compliance process, eliminating that headache entirely
If you are a current merchant and have PCI questions or concerns, please call us at (800) 386-0711 and ask to speak with someone in PCI Compliance. Our PCI Team is available Mon-Fri, 8am – 5pm CST to help you protect your business.
If you are with another processor, and PCI Compliance is a concern, a risk, or a headache for you, please call us at (800) 386-0711, and let’s talk about moving your credit card processing to BASYS and solving that problem for you.
BASYS Processing as a business partner
Does your current processor help you understand the ins and outs of the process? Do they provide great rates and excellent customer service? Are they being pro-active about helping you reduce your risk, increase your savings, and offering solutions to grow your business? Let’s talk about creating a true business partnership that will help you meet and exceed your goals for accepting credit cards and other payments. We make accepting debit cards and credit cards convenient, safe & affordable.
BASYS Processing features:
– Live operator when you call support – no automated voice systems
– Dedicated Relationship Manager for questions and concerns
– Quick response time for your questions and concerns; you are a priority
– Family owned since our founding in 2002
– A+ BBB rating
– 90% + Customer Retention Rate
– Proactive contact with every merchant to walk through the annual PCI process
– In-house PCI Team to assist with questions and concerns
– Solutions including terminals, virtual terminals, e-commerce, mobile, and point of sale
– EMV compliant products
– Reporting for customer, sales, and inventory management
– Gift and loyalty card programs
– Easy-to-read statements
– Transparent pricing
– Tremendous savings
About BASYS Processing
BASYS Processing provides credit card and debit card processing services, and solutions that include terminals, virtual terminals, e-commerce, mobile, and point-of-sale, customized to fit any need. Banks, associations, and software partners depend on us to strengthen their reputations and relationships with their customers by providing remarkable service paired with ultimate flexibility and pricing. Merchants depend on us to make accepting credit cards and debit cards convenient, safe & affordable. BASYS was founded in 2002 on one philosophy: to take care of our merchants, partners, and employees so they never want to leave. We are dedicated to working one-on-one with our customers to design the perfect solution. BASYS is Personalized Payment Processing.
Learn more at basyspro.com, and connect with us online at: