New PCI DSS version concentrates on multi-factor authentication and encryption

New PCI regulation will include a heavy focus on multi-factor authentic, people, processes and encryption

There will be new safeguards on payment data and more focus on people and processes
There will be new safeguards on payment data and more focus on people and processes

The PCI Security Standards Council (PCI SSC) has released the latest version of the PCI Data Security Standard.

Version 3.2 includes requirements that merchants and banks must deploy in strong encryption and multi-factor authentication, as well as when those changes must take place.

The previous version, 3.1, expires 31 October this year. But the PCI SSC has said that firms that accept, process or receive payments should adopt it as soon as possible to prevent, detect and respond to cyberattacks.

Among the key changes are a revised Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) sunset dates. An expansion of requirement 8.3 to include use of multi-factor authentication for administrators accessing the cardholder data environment. And additional security validation steps for service providers and others, including the “Designated Entities Supplemental Validation” (DESV) criteria, which was previously a separate document.

The primary changes in the new version are clarifications on requirements that help organisations confirm that critical data security controls remain in place throughout the year, and that they are effectively tested as part of the ongoing security monitoring process, according to PCI Security Standards Council general manager Stephen Orfei.

“This includes new requirements for administrators and services providers, and the cardholder data environments they are responsible to protect. PCI DSS 3.2 advocates that organisations focus on people, process and policy, with technology playing an important role in reducing the overall cardholder data footprint.”

PCI Security Standards Council chief technology officer, Troy Leach, said that multi-factor authentication is now a requirement for any personnel with administrative access into environments handling card data.

“Previously this requirement applied only to remote access from untrusted networks. A password alone should not be enough to verify the administrator's identity and grant access to sensitive information,” he said.

“Additionally, service providers, specifically those that aggregate large amounts of card data, continue to be at risk. PCI DSS 3.2 includes a number of updates to help these entities demonstrate that good security practices are active and effective.”

Kevin Burns, Head of Solution Architecture at Vodat International and former head of payments and PCI at BT Expedite, told SCMagazineUK.com that the key change to the PCI DSS which the PCI Security Standards Council has made in version 3.2 reinforces the need for organisations to stop supporting SSL and older versions of TLS.

“For retailers, the main channel this affects is eCommerce and the real impact is on end customers who do not patch their devices. Using stronger encryption - which has yet to be exploited, as provided in TLS version 1.2 - provides additional security for the end customer.

He added that the benefit is that retailers are less likely to have their website exploited and therefore less likely to have unhappy customers on the basis that previous exploits either redirected the user or hijacked the checkout.

“Some terminals also rely upon SSL / TLS to secure cardholder data and again the advantage for retailers will be the improved security of their customers' sensitive data during card payment processing,” said Burns.

Gavin Buckton, senior security consultant at Nettitude, told SC that the control changes in PCI DSS 3.2 will not in themselves significantly reduce fraud,

“It's the transition away from the previously employed three year release cycle; where a new standard and updated controls therein were released every three years, which will deliver the greatest benefit.

“Changes to the standard will now be released in direct response to the actual threats and incidents observed in the field. So organisations that keep abreast of changes and implement the new control requirements in a timely manner, will shorten the window of opportunity for cyber criminals to exploit weakness in systems and process, and decrease the negative impacts of fraud as a result,” said Buckton.

He said that multi-factor authentication for internal access to the Card Data Environment (CDE) provides greater protection from malware based attacks, where for example IT support systems have been compromised by some form of malicious software such as a key-logger, which results in the usernames and passwords of CDE systems being captured, and subsequently used for unauthorised access.

“With multiple authentication factor such as one-time-password or digital certificates employed, this becomes a significantly more challenging attack vector.”