PCI Compliance Requirements – January 31st is Quickly Approaching

Back in April of 2016, the latest version of the PCI Data Security Standards, version 3.2, was released. This release brought many changes to the PCI compliance requirements from the previous version, many of which we outlined in our April 2016 webinar. That release was 21 months ago and represents the last revision to the PCI DSS. If that release was almost 2 years ago, why are we talking about it again at this point in time?

As mentioned above, PCI DSS 3.2 brought many significant changes with it. The PCI Security Standards Council was very understanding that it could take time, money, and resources to complete these significant changes. For this reason, they gave merchants and service providers an extended timeframe for implementation. However, that timeframe is quickly coming to an end. What this means for you is that the best practices now become requirements on February 1st.

From April of 2016 through this January 31st, these control objectives were simply best practice recommendations and whether they were implemented or not did not affect the organization’s PCI Compliance status. Beginning February 1st, 2018, merchants and service providers will be required to comply with these control objectives. Here is a brief summary of the changes that become requirements after January 31, 2018:

• Requirement 3.5.1 (Service Providers Only) – Maintain a documented description of the cryptographic architecture.
• Requirement 6.4.6 (Merchants and Service Providers) – Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable.
• Requirement 8.3.1 – (Merchants and Service Providers) - Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.
• Requirement 10.8 (Service Providers Only) – Implement a process for the timely detection and reporting of failures of critical security control systems, including but not limited to failure of:
  • Firewalls
  • IDS/IPS
  • File Integrity Monitoring
  • Anti-Virus
  • Physical Access Controls
  • Logical Access Controls
  • Audit Logging Mechanisms
  • Segmentation Controls (If applicable)
• Requirement 10.8.1 (Service Providers Only) – Respond to failures of any critical security controls in a timely manner.
• Requirement 11.3.4.1 (Service Providers Only) – If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.
• Requirement 12.4.1 (Service Providers Only) – Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program.
• Requirement 12.11 (Service Providers Only) – Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures.
• Requirement 12.11.1 – (Service Providers Only) – Maintain documentation of quarterly review process.

This list is not meant to be all encompassing, rather it is a high-level overview of the changes. To help organizations plan, implement and track your compliance with PCI we have created a simple, effective checklist related to these new control objectives in addition to the other requirements for PCI. Download your copy today and as always, don’t hesitate to drop a line in the comments or contact us with any questions.