PCI Security Standards Council describes the main requirements for PCI DSS 3.2 – update, which is aimed at the business. Troy Leach says, that the introduction of the standard will not fast in order to the organization to prepare for future changes.
For some companies, the transition may take up to two years to meet the new requirements. PCI Council team discusses the possibility of a rare issue updates to the companies did not have to constantly introduce new infrastructure.
The most notable features of PCI DSS 3.2:
Additional multifactor authentication. Verizon report showed that 63% of all existing violations associated with weak or stolen passwords. The company recommends avoiding single-factor authentication. PCI DSS 3.2 standard requires that system administrators, requested Cardholder Data Environment (CDE), resorted to only multifactor authentication. Single factor access to CDE is no longer acceptable today. Multi-factor authentication for remote access to the CDE is part of the PCI DSS. Organizations need to February 1, 2018 comply with this standard.
The new requirements for service providers. PCI DSS 3.2 will include some criteria for Designated Entities Supplemental Validation (DESV) for service providers. Among the requirements: service providers must demonstrate that they have a detection mechanism to respond to errors with critical security control. They should carry out penetration tests at least twice a year; conduct quarterly checks for staff to ensure that they are complying with security policies and procedures; service providers executives should show understanding of the PCI DSS.
Advanced switching to SSL / TLS. When were discovered serious vulnerabilities in the SSL and TLS, PCI Council removed the SSL from example of strong encryption in the PCI Data Security Standard, requiring a transition from the SSL and TLS 1.0 to secure version of TLS (currently it is 1.1 and above) by July 2016. However, it is led to market problems, because companies do not have time to make the transition so quickly. To ease the transition, PCI Council has decided to push back the scope of migration on 1 July 2018. PCI DSS 3.2 also includes a migration app, that allows companies to make a simple and rapid transition.