The Payment Card Industry Data Security Standards (PCI DSS) is an Information Security standard, created by the five leading Card Schemes, with the intent to reduce the risks associated with security breaches, that can result in data compromise, ultimately leading to fraudulent use of payment account information.

pci-dss-3.2.png

The PCI DSS is only one of a broader family of such standards, which address various aspects of the payment eco-system, such as the payment applications, card reading devices, etc.

To cope with these numerous standards and the continuously evolving threat and technological landscape, the Card Schemes have established the PCI Security Standards Council (SSC), which is a global open body whose goal is to develop, evolve, maintain and disseminate these security standards for payment account security.

Organisations who understand the importance of information security strive to adhere to these standards not only due to the fines and penalties associated with non-compliance, but due to the understanding of the far greater financial and reputational damage that can result from a publicly disclosed information security breach.

The latest update to the standard, PCI DSS 3.1, was rolled out less than a year ago and was introduced in order to phase out certain versions of the protocols used to secure E-commerce payments i.e. SSL v3.0 (Secure Sockets Layer) as well as TLS v1.0 & v1.1 (Transport Layer Security) due to recently identified flaws. Previously these both were given as examples of strong cryptographic protocols until they were found to be affected by the POODLE vulnerability, and so the Council, issued a deadline for their replacement.

What changes will PCI DSS 3.2 Introduce?

One change that is confirmed is the increased deadline for replacing of the insecure SSL and TLS versions with their current and secure counterparts, which has bee set as 30 June 2018. What the Council’s CTO Troy Leach hinted at in a blog post interview on the PCI SSC’s website is some additional potential changes which are still being evaluated:

  • Additional multi-factor authentication for administrators within a Cardholder Data Environment (CDE)
  • "Some" of the Designated Entities Supplemental Validation (DESV) criteria may be incorporated for service providers
  • Masking criteria for primary account numbers (PAN) when displayed will be clarified
  • The PCI DSS 3.2 will also include the updated SSL/TSL migration dates as the deadline for the completion of this migration was extended in December 2015 to June 30, 2018.

While these are not definitive yet, they come as a result of the market feedback, the "trending attacks causing compromises" and the forensic reports reviewed by the Council.

As for when organisations can expect the PCI DSS 3.2 to be rolled out, Troy Leach stated that the Council will likely publish the revision within the "first half of 2016", with an aim for the March/April timeframe. This is because the SSC is "sensitive to the drastic changes that are happening with payment acceptance" (such as the United States' EMV chip rollout and "advancements in mobile payments") but by releasing the PCI DSS update with "long sunrise dates", organisations can "evaluate the business case for their security investments".

How to prepare for the changes?

Although the PCI DSS 3.2 revisions have not yet been detailed in full, businesses can prepare in other ways, by ensuring that they are compliant with the PCI DSS in its current form.

The same should have happened in 2015 when, on July 1st, Merchants that use card-reading devices or terminals had to start complying with requirement 9.9. PCI DSS Requirement 9.9 became mandatory as descibed in the PCI DSS 3.1 update and it regards the continuous monitoring of those card-reading terminals (PoS, PEDs, Standalone Dial-Out Terminals etc..). That is what our ZeroRisk PINpoint solution was created for, as a way of putting continuous terminal monitoring in place. A solution developed ad-hoc for one of the new rules introduced by the lastest version of the PCI DSS. Are you up to speed with your devices monitoring?

Moreover, as Troy Leach states, organisations should also take the time to evaluate their security investments. Security investments may include hiring trusted IT security professionals and QSAs (Qualified Security Assessor) such as Advantio to help you achieve PCI DSS compliance and to assess your compliance status.

Marco Borza

Written by Marco Borza

I am the Founder of Advantio.
Technology has been my passion since I was a kid; when I first heard the handshake of an old 300bps modem I realised security would be key in an interconnected world. Since then it has become my passion and primary focus.
The reason why I've started my own business is to make IT Security simple.

Certifications: CISSP / CCSA (Checkpoint) / ITIL Foundations / ACSA (ArcSight)/ Linux+/ PCI-QSA / PA-QSA