PCI DSS 3.2 Changes

August 12, 2016

PCI DSS 3.2 Changes

Audits affect all sectors in some shape or form. These exist to protect consumers and merchants, they are therefore extremely important, despite the fact they can sometimes cause a few eyes to roll. At Cardstream however, we ungrudgingly intend for security to be absolute. Aside from our broad range of fraud prevention technology, we make sure that we are ahead of the curve in regards to PCI DSS compliance to keep merchants processing safely. To that end, I’d like to inform you of new PCI DSS guidelines that are coming in. PCI DSS 3.1 will be retired in October of this year making way for PCI DSS 3.2. Cardstream are here to inform you on these changes we’ve been accommodating since its announcement.

Multifactor Authentication – This is now a mandatory request for non-console administrative access where previously it was only necessary for remote access to a system. Multifactor authentication is the act of providing two forms of identification as necessary access to the system as opposed to just one. This can be in different forms of ID, such as biometrics, passwords or smart cards. A password in itself is now insufficient.

TLS 1.1 Change – Due to feedback and the PCI SSC’s understanding of the payments industry; they identified that the original date for the TLS 1.1 migration (June 2016) was not ideal. In PCI DSS 3.2 that date has been expanded to accommodate a longer migration period, therefore TLS 1.1 will now need to be in place by June 2018. Cardstream will be following suit.

Penetration Testing – In line with incoming standards, service providers are now expected to perform penetration testing every six months, instead of every year, this is sub-requirement The testing routine 11.3.4 has been added to ensure the testing is completed by a qualified internal or external third party.  Penetrating testing is the attempt of a party to identify, by attempted infiltration, any problems in the service provider’s security.

Ongoing Monitoring – Requirement 10.8 and sub-requirement 10.8.1 are being introduced in the standard’s framework. These requirements expect service providers to detect and report all failures on critical security control systems. The purpose of this is for companies to provide a system that alerts them when critical controls fail: without this companies may find issues can go unnoticed and become cracks in the system that attackers could infiltrate.

Also being brought to people’s attention with PCI DSS 3.2 is the need to stop using outdated and unsupported software in the CDE (Cardholder Data Environment). This is because when patches are brought out for security, for example into Windows XP, that patch won’t reach that software, making the system potentially penetrable.

These are some of the bigger PCI DSS 3.2 changes that are being bought in and Cardstream are fully prepared for this transition. Please see our shiny new PCI DSS 3.2 certificate here.

For any information about Cardstream security and additional fraud checking services, or to just to poke around for details about our payment gateway UK, why not give us a call on 0845 00 99 575? A member of the Cardstream team will be ready to answer any questions you may have.