For retailers that accept credit or debit cards and use service providers, a new version of the PCI Data Security Standards (PCI DSS v3.2) will impose new requirements as of November 1, 2016.

The Payment Card Industry (PCI) Security Standards Council issued “clarifications” and “evolving requirements” in the new version. Clarifications are changes to ensure “that concise wording in the standard portrays the desired intent of the requirements.” Evolving requirements aim to “ensure that the standards are up to date with emerging threats and changes in the market.”  The Council also issued guidance as part of the new standards.

Altogether, there are 44 clarifications and 12 evolving requirements. Although every change can be  important, this post focuses on the 12 evolving requirements.

November 1, 2016 Compliance Date

  • Section 3: adopts a “minimum necessary” standard for Permanent Account Number (PAN) display. The display would usually be limited to only the last 4 digits of the PAN or, if a bank identification number is needed, only the first 6 digits of the PAN.
  • Section 8.3: requires multi-factor authentication for all access that is “individual non-console administrator access” and all remote access to the cardholder data environment. Note that the guidance specifies that multi-factor authorization is not required at both the system level and application level for any particular system component.
  • Section 8.3.2: requires multi-factor authentication for “all remote network access originating from outside the entity’s network [both user and administrator, and including third party access for support or maintenance].” Per the guidance, this requirement applies to any remote access “when that remote access could lead to access to the cardholder data environment.”  The guidance also recommends (but does not require) multi-factor authentication for all remote access to the entity’s network.

January 31, 2018 Compliance Date

While these new requirements have a long lead time, the new standards describe them as “best practices” until the compliance date.

  • Section 3.5.1: requires service providers to maintain a documented description of their cryptographic architecture. This documentation includes details of algorithms, protocols, and keys (key strength, expiry date, and usage). It also includes hardware security modules and secure cryptographic devices for key management. Service providers must maintain current documentation to help service providers detect missing keys and identify unauthenticated additions to the cryptographic architecture.
  • Section 6.4.6: mandates updated documentation, including network diagrams, system configurations, and vulnerability scanning for any new or changed systems and networks.
  • Section 8.3.1: requires multi-factor authentication for administrator non-console access into the cardholder data environment. Per the guidance, this requirement does not apply to application or system accounts performing automated functions.
  • Section 10.8: requires service providers to establish processes for timely detection and reporting of failures of critical security control systems, such as firewalls, anti-virus systems, physical access controls, and audit logging.
  • Section 10.8.1: requires service providers to respond in a timely fashion to failures of the critical security control systems.
  • Section 11.3.4.1: requires service providers that elect to use segmentation to test every six months and after changes to segmentation controls/methods. The tests are reviews of the twice-yearly (at least) penetration tests.
  • Section 12.4.1: requires service provider executive management to establish responsibility for protection of cardholder data and a PCI DSS compliance program, including a charter and communication to executive management.
  • Section 12.11: requires service providers to perform reviews (at least quarterly) to confirm that personnel are following security policies and operational procedures. These reviews must include:  (1) daily log reviews; (2) firewall rule-set reviews; (3) applying configuration standards to new systems; (4) responding to security alerts; and (5) change management processes.  Testing procedures include interviews of responsible personnel.
  • Section 12.11.1: requires service providers to document the quarterly review process in Section 12.11, including the results of the reviews and sign-off by the personnel assigned responsibility for the PCI DSS compliance program.