Who Has to Comply?Similar to previous versions of PCI DSS, version 3.2.1 applies to any organization processing, storing, or transmitting cardholder data. This includes anyone from the smallest local shop to the largest financial institutions. There are no exemptions based on the size of the organization or the number of transactions- every business that handles cardholder data is responsible for compliance.
When Does Version 3.2.1 Come into Effect?The latest version of PCI was actually published back in April 2016, but the council gave organizations a considerable grace period for implementing changes. Until January 31, 2018, the updates were considered best practices rather than mandatory compliance measures. However, as of February 1, 2018, the new guidelines came into effect, and are now considered part of regular compliance. The one exception to this is the previous requirement regarding migrating to TSL security protocols from SSL, and organizations now have until June 30, 2018, before compliance becomes mandatory.
What's the Focus of the Changes in Version 3.2.1?The latest version of PCI is aimed at addressing the speed with which hackers and other malicious parties adapt their techniques and tactics to exploit vulnerabilities in payment card industry security. In other words, threats to cardholder data are evolving at a rapid pace, and the latest version of PCI is designed to help merchants address this. The changes included in version 3.2.1 were informed by data breach report findings, as well as changes in the payment industry and feedback from participating organizations.
What Are the New PCI Requirements with Version 3.2.1?The major changes with version 3.2.1 include the addition of new requirement subsections and updates to other subsections. Here are some of the most important highlights:
PCI Requirement 8.3.1This is one of the most important changes in PCI version 3.2. Whereas previous versions of PCI required multi-factor authentication for remote console access in the cardholder data environment, multi-factor authentication is now required for all non-console access. In the process, 8.3 was expanded into sub-requirements, and now includes 8.3, 8.3.1, and 8.3.2.
PCI Requirement 6.4.6This is a new sub-requirement that makes it mandatory for merchants to certify that proper security controls are in place after a change to the cardholder data environment.
PCI Requirements 10.8 and 10.8.1This is another new requirement (the former 10.8 became 10.9) that dictates service providers must report failures in critical security control systems, including failures with firewalls, file integrity management, physical and logical access controls, antivirus, and more. Furthermore, sub-requirement 10.8.1 states that reporting of and response to failures must occur in a timely manner, and it also suggests steps for responding to failures.
PCI Requirement 12.11With the addition of this requirement, service providers must now perform quarterly reviews to ensure personnel is accurately following operational procedures and security policies.
For more information, you can view a full report of the summary of changes.
Have There Been Changes to the SAQs?The SAQs are yes/no-style self-assessment questionnaires designed to help merchants get a better idea of their PCI compliance and the current state of their security protocols. There are nine different SAQs, and the one you use depends on how you handle credit card information. For instance, the questionnaire for e-commerce merchants is different from the one for merchants who use physical point-of-sale terminals to swipe cards. Not all organizations are required to submit SAQs, and your bank can help you determine if you should. Although there aren't any new SAQs with the release of version 3.2, there have been some changes made to some of the existing SAQs, including to:
- SAQ A
- SAQ A-EP
- SAQ C-VT
- SAQ C
- SAQ P2PE
PCI DSS has been around for over a decade, so any organization handling cardholder data should already have taken steps toward compliance. For those who have yet to comply, it is not too late to start. In our previous post about PCI deadlines and requirements, we note the best practices for continuous PCI compliance. This includes
- Proactive Change management
- Auditing Capabilities
- Integrated Ticketing
- Automatic Vendor Change Identification
Let FIM Help with PCI ComplianceAs a requirement for 10.5.5 and 11.5, file integrity monitoring software helps to ensure log data cannot be changed without generating alerts. To learn more about PCI DSS compliance and how to secure your systems, download our FIM for PCI DSS brief today.
June 13, 2018