The most recent updates from the Payment Card Industry Data Security Standard, referred to as PCI DSS 3.2, has become mandatory since February 1, 2018. All merchants and service providers who accept credit card payments from Visa, MasterCard, Discover, and American Express are concerned. The goal of this regulation is to offer stronger security measures for consumers and protect them, as well as service providers and merchants, against cyber attacks. The first PCI DSS v 3.0 was the first set regulations released in 2015. The next version, PCI DSS v3.1 was then released in 2016.
New standards to prevent security breaches
The latest standards have been set to reduce risks, especially from cyber intruders. With hackers consistently trying to find loopholes and vulnerabilities in the systems, the Payment Card Industry has made it a priority to continuously consolidate their best practices and update their mandatory requirements.
One of the main steps of this process is a self-assessment to ensure that a company is fully compliant with all the established rules and regulations. Penetration testing and vulnerability assessment scans are obligatory every three months. Independent audits, as well as periodic scans, are also required for certain businesses handling large volumes of cardholder transactions.
Certain updated controls and new regulations that are applicable now
Control 3.3 – Changes in wording
Generally, only the first six and last four digits of a credit card number should be displayed. Yet, if the personnel have legitimate reasons to see the entire credit card number, they are allowed to view it.
Control 3.5.1 – Encryption architecture documentation
This control regulating the use of protocols, algorithms, and keys used in protecting card data, pertains to service providers.
Control 6.4.6 – Verifying PCI DSS requirements on new and modified networks
This control regards merchants and service providers. It requires employees to scrutinize records, study affected systems and interview staff to ensure that the applicable PCI DSS requirements have been appropriately implemented.
Control 8.3.1 – Multiple authentication factors for CDEs
The new standards require “multiple” authentication factors, meaning that at least three types of authentication should be adopted in the cardholder data environment.
Control 10.8 – Periodic reporting and detection of system failures
Service providers are concerned with this control which defines the application process for fault detection and the creation of regular periodic reports.
Control 10.8.1 – Response to security incidents
This control concerns service providers. It requires companies to have an effective plan for responding to any breaches or failures. Remedial actions should also be taken instantly. Managers and directors should establish whether further actions are necessary. New deterrents should equally be set up to prevent recurrence of a similar breach.
Control 11.3.4.1 – Tests of constant intrusions
Service providers are required to carry out intrusion tests every six months whenever segmentation of environments is used.
Control 12.11 – Security policy reviews
Service providers are required to review all security policies every three months to make sure that personnel is following the rules and procedures.
Control 12.11.1 – Maintain quarterly review documentation
Service providers should see to it that the regular quarterly review is effectively documented and that the person in charge of implementing the PCI DSS compliance program signs off on these reviews.