Payment Card Industry Security Standards Council Revises Data Security Standards – May 6, 2016
Drinker Biddle & Reath
Description
Publication - 05/06/2016
Payment Card Industry Security Standards Council
Revises Data Security Standards
Client Alert
Key Takeaways:
Requires multi-factor authentication for card administrators to access sensitive card
data on all networks
Companies should prioritize PCI compliance as a continuing practice
On April 28, 2016, the Payment Card Industry’s Security Standards Council (PCI) published its new Data Security Standards
(DSS). PCI sets debit/credit card security standards updates and clarifies existing standards to reflect changes in the
business and technical landscape. The new revisions, PCI DSS 3.2, will go live in October 2016.
The updated rules address two topics. First, the revised rules will require card administrators to use multi-factor
authentication to identify themselves when accessing sensitive cardholder data, regardless of whether they are accessing
their systems onsite or remotely.
Previously, administrators only needed multi-factor authentication when they were on an untrusted network. Going forward, that requirement will extend to all networks – onsite as well as remote. Troy Leach, PCI Security Standards Council CTO, justified the revisions: “We’ve seen an increase in attacks that circumvent a single point of failure, allowing criminals to access systems undetected, and to compromise card data.” He added that “a password alone should not be enough to verify the administrator’s identity and grant access to sensitive information.” Second, the April 2016 update added criteria that instruct companies to apply and maintain the PCI standards as an everyday/continuing practice, rather than an annual compliance exercise event associated with an audit or self-assessment. Leach noted that compliance trends indicate that many organizations view PCI compliance as an annual exercise but that it is important for companies to prioritize PCI compliance as an ongoing effort aroundtheclock rather than as a “oneoff” event. Note: The current version of the standards – PCI DSS 3.1 – will expire six months after the release of PCI DSS 3.2 (i.e., October 31, 2016). All revised/upgraded SAQ forms/procedures included with PCI DSS 3.2 should be used beginning November 1, 2016. PCI DSS 3.12 will not be a requirement by February 2018, in order to provide companies sufficient time to implement the new standards. Drinker Biddle recommends that companies commence a review of their current authentication protocols and begin to plan to upgrade those systems to comply with the new PCI DSS 3.2 standards.
It is critical to build enough time into this process to allow for the proper training of all necessary employees affected by the new procedures to avoid last-minute implementation difficulties. In addition, companies should prioritize PCI compliance as an ongoing effort. .
Previously, administrators only needed multi-factor authentication when they were on an untrusted network. Going forward, that requirement will extend to all networks – onsite as well as remote. Troy Leach, PCI Security Standards Council CTO, justified the revisions: “We’ve seen an increase in attacks that circumvent a single point of failure, allowing criminals to access systems undetected, and to compromise card data.” He added that “a password alone should not be enough to verify the administrator’s identity and grant access to sensitive information.” Second, the April 2016 update added criteria that instruct companies to apply and maintain the PCI standards as an everyday/continuing practice, rather than an annual compliance exercise event associated with an audit or self-assessment. Leach noted that compliance trends indicate that many organizations view PCI compliance as an annual exercise but that it is important for companies to prioritize PCI compliance as an ongoing effort aroundtheclock rather than as a “oneoff” event. Note: The current version of the standards – PCI DSS 3.1 – will expire six months after the release of PCI DSS 3.2 (i.e., October 31, 2016). All revised/upgraded SAQ forms/procedures included with PCI DSS 3.2 should be used beginning November 1, 2016. PCI DSS 3.12 will not be a requirement by February 2018, in order to provide companies sufficient time to implement the new standards. Drinker Biddle recommends that companies commence a review of their current authentication protocols and begin to plan to upgrade those systems to comply with the new PCI DSS 3.2 standards.
It is critical to build enough time into this process to allow for the proper training of all necessary employees affected by the new procedures to avoid last-minute implementation difficulties. In addition, companies should prioritize PCI compliance as an ongoing effort. .
