02 Dec PCI DSS Version 3.2 Security Standards and Requirements
3 THINGS BUSINESS OWNERS NEED TO KNOW
about the latest Credit Card Processing security standards and requirements, PCI DSS Version 3.2.
On November 1, 2016, the Payment Card Industry (“PCI”) Security Standards Council’s newest set of Data Security Standards (“DDS”) went into effect. PCI DSS Version 3.2 has made a variety of changes for merchants and Service Providers alike. The language of these changes can be very confusing and some of it doesn’t apply to you, as a merchant and business owner. So, if you are a merchant and business owner, here is what YOU need to know:
1. Expanded Multi-Factor Authentication Requirements (Section 8.3):
You now need to use a “multi-factor” authentication instead of “two-factor” authentication when accessing cardholder data from both local/internal networks, and external/remote networks. The difference between “multi-factor” and “two-factor” authentication is that:
• “two-factor” requires 2 credentials – “multi-factor” requires a “minimum” of 2 credentials
• “multi-factor” requires the credentials to be 2 DIFFERENT forms of authentication. e.g., you cannot use two different passwords. You must you a password, and a different form of authentication.
You now need to use at least 2 of these 3 forms of authentication:
• Something you know like a password or passphrase
• Something you have, like a token device or a smart card
• Something you are, like a biometric (fingerprint, etc.)
The change from “two-factor” to “multi-factor” is a “best practice” until January 31, 2018. It will be a requirement after that.
2. Change Control Processes (Section 6.4.6):
You now need to re-verify that PCI DSS requirements are intact after making a “significant” change to the system / network / environment where the cardholder data is store. Examples of things required after a significant change:
• documenting the changes
• checking configurations
• updating documentation like network diagrams
• ensuring that new additions (hardware, applications, etc.) are subject to regular security testing like a monthly vulnerability scan
This change is a “best practice” until January 31, 2018. It will be a requirement after that.
3. Extended migration dates for SSL/early TLS:
You now have until June 30, 2018 to replace encryption security protocols of SSL and early TLS (Transport Layer Security). After discovering serious vulnerabilities, the PCI Council originally stated these protocols had to be replaced by June 30, 2016. The deadline is now June 30, 2018. However, organizations using SSL, and early TSL, are required to prepare a form “Risk Mitigation and Migration Plan” in the interim.
At BASYS Processing we take your safety seriously. We separate ourselves from our competitors by having an in-house PCI Compliance Team of specialists, based at our home office in Lenexa, KS, and thoroughly trained on the latest version of PCI DSS. We pro-actively contact our merchants to walk them through the annual PCI Compliance process, eliminating that headache entirely
If you are current merchant, and have PCI questions or concerns, please call us at (800) 386-0711 and ask to speak with someone in PCI Compliance. Our PCI Team is available Mon-Fri, 8am – 5pm CST to help you protect your business.
If you are with another processor, and PCI Compliance is a concern, a risk, or a headache for you, please call us at (800) 386-0711, and let’s talk about moving your credit card processing to BASYS and solving that problem for you.