PCI DSS in version 3.2 - what's new and how to respond?
When the American gangster Willy Horton was asked why he was robbing banks, he replied: "Because there is money." Modern scammers specializing in high technology are guided by roughly the same considerations, and for this reason, current commercial organizations are becoming a target for financial speculators.
The situation can be illustrated by the following figures: according to PrivacyRights.org, between January 2005 and April 2016, a total of 4823 data leaks were recorded, which resulted in the compromise of 898 million records of confidential data.
In addition, as a result of rash actions by organizations, the personal data of cardholders may be compromised. In a survey conducted among companies in the US and Europe, the following actions were identified that put personal cardholder data at risk:
Source: Forrester Consulting: The State of PCI Compliance (a PCI compliance study was commissioned by RSA / EMC)
In order to prevent financial fraud and prevent potential serious consequences, it is important to increase the security of cardholder data and ensure complete protection of payment data . For this purpose, the PCI DSS standard was created.
The abbreviation PCI DSS is derived from the name Payment Card Industry Data Security Standard (PCI DSS). This is the name of the information security standard that governs the activities of organizations working with credit cards of major payment systems, including Visa, MasterCard, American Express, Discover and JCB.
Initially, this standard appeared as a result of cooperation between Visa and MasterCard payment systems, but later other credit card companies in the United States supported the development of the PCI DSS standard in their own programs.
This standard sets industry-wide safety requirements. It consists of 12 basic requirements, which are divided into more than 200 requirements.
This standard was developed with the aim of enhancing the security of data of bank card holders, as well as to accelerate the adoption of agreed measures to ensure the security of such data at a global level.
Some brands of payment systems independently determine the need to comply with PCI DSS requirements and establish penalties for non-compliance with these requirements.
Companies wishing to obtain a PCI DSS compliance certificate must pass a security audit conducted by an independent body.
The requirements of the PCI DSS standard apply to all organizations involved in the processing of payment cards, including trade organizations, processing companies, financial institutions and service providers, as well as other organizations that store, process or transmit data of payment card holders and / or authentication data.
“One of the important changes in the PCI DSS 3 standard has been the addition of multi-factor authentication as a mandatory requirement for any employees who have administrative access to the environment used to work with cardholder data. Thus, a password alone is no longer enough to authenticate a user and provide access to confidential information, even if that user accesses data while on a secure network, "said Troy Leach, Technical Director of PCI Security Standards Council.
Multifactor authentication (MFA) refers to the concept of authentication, in which to authorize access to the system, the user must confirm his identity in two or more ways. Usually this means that the user is ready to provide:
In previous versions of the PCI DSS standard, two-factor authentication was required for remote access to the cardholder data environment from any insecure network.
Let's dwell in more detail on the 8th requirement of the standard, which governs the secure access to data of cardholders.
Section 8.1.5 specifies that, whatever the relationship with the organization, ALL third parties with remote access to the cardholder information environment (CDE) should use multi-factor authentication. Previously, this requirement was presented only to vendors.
A significantly more important change is presented in requirement 8.3., which is now divided into two requirements. In particular, a new part of the paragraph was added, which significantly expands the requirements for the use of multifactor authentication for individual users who access the information environment of cardholders while in the office.
Requirement 8.3.1 - A new requirement that provides for the use of multi-factor authentication by all employees who have access to cardholder data, that is, have local access to the information environment of cardholders and databases containing information about cardholders. Requirement 8.3.1 comes into force on February 1, 2018.
Requirement 8.3.2- provides for the use of multifactor authentication by all employees who have remote access to the information environment of cardholders.
Thus, in the latest version of the PCI standard, requirement 8.3 regulates the need to use multi-factor authentication for all users, regardless of whether they are in the office or receive remote access to the system, as well as for administrators with privileged access.
Therefore, even if the organization already uses two-factor authentication for remote users, this organization will now have to apply multi-factor authentication to all users who have access to systems, including when users are in the office.
The situation can be illustrated by the following figures: according to PrivacyRights.org, between January 2005 and April 2016, a total of 4823 data leaks were recorded, which resulted in the compromise of 898 million records of confidential data.
In addition, as a result of rash actions by organizations, the personal data of cardholders may be compromised. In a survey conducted among companies in the US and Europe, the following actions were identified that put personal cardholder data at risk:
- 81% of companies store payment card numbers;
- 73% of companies store information about the validity of payment cards;
- 71% of companies keep payment card security codes;
- 57% of companies store user data read from magnetic strips of payment cards;
- 16% of companies store other personal data.
Source: Forrester Consulting: The State of PCI Compliance (a PCI compliance study was commissioned by RSA / EMC)
In order to prevent financial fraud and prevent potential serious consequences, it is important to increase the security of cardholder data and ensure complete protection of payment data . For this purpose, the PCI DSS standard was created.
What is the PCI DSS standard?
The abbreviation PCI DSS is derived from the name Payment Card Industry Data Security Standard (PCI DSS). This is the name of the information security standard that governs the activities of organizations working with credit cards of major payment systems, including Visa, MasterCard, American Express, Discover and JCB.
Initially, this standard appeared as a result of cooperation between Visa and MasterCard payment systems, but later other credit card companies in the United States supported the development of the PCI DSS standard in their own programs.
This standard sets industry-wide safety requirements. It consists of 12 basic requirements, which are divided into more than 200 requirements.
Some Facts About PCI DSS
This standard was developed with the aim of enhancing the security of data of bank card holders, as well as to accelerate the adoption of agreed measures to ensure the security of such data at a global level.
Some brands of payment systems independently determine the need to comply with PCI DSS requirements and establish penalties for non-compliance with these requirements.
Companies wishing to obtain a PCI DSS compliance certificate must pass a security audit conducted by an independent body.
The requirements of the PCI DSS standard apply to all organizations involved in the processing of payment cards, including trade organizations, processing companies, financial institutions and service providers, as well as other organizations that store, process or transmit data of payment card holders and / or authentication data.
What innovations appeared in the eighth requirement of the PCI DSS standard in version 3.2?
“One of the important changes in the PCI DSS 3 standard has been the addition of multi-factor authentication as a mandatory requirement for any employees who have administrative access to the environment used to work with cardholder data. Thus, a password alone is no longer enough to authenticate a user and provide access to confidential information, even if that user accesses data while on a secure network, "said Troy Leach, Technical Director of PCI Security Standards Council.
Multifactor authentication (MFA) refers to the concept of authentication, in which to authorize access to the system, the user must confirm his identity in two or more ways. Usually this means that the user is ready to provide:
- Something he knows: password or passphrase
- Something he has: a token, smart card, or access to a mobile device
- Something inherent in it: a fingerprint, an iris of an eye or any other way of biometric authentication.
In previous versions of the PCI DSS standard, two-factor authentication was required for remote access to the cardholder data environment from any insecure network.
Let's dwell in more detail on the 8th requirement of the standard, which governs the secure access to data of cardholders.
Section 8.1.5 specifies that, whatever the relationship with the organization, ALL third parties with remote access to the cardholder information environment (CDE) should use multi-factor authentication. Previously, this requirement was presented only to vendors.
A significantly more important change is presented in requirement 8.3., which is now divided into two requirements. In particular, a new part of the paragraph was added, which significantly expands the requirements for the use of multifactor authentication for individual users who access the information environment of cardholders while in the office.
Requirement 8.3.1 - A new requirement that provides for the use of multi-factor authentication by all employees who have access to cardholder data, that is, have local access to the information environment of cardholders and databases containing information about cardholders. Requirement 8.3.1 comes into force on February 1, 2018.
Requirement 8.3.2- provides for the use of multifactor authentication by all employees who have remote access to the information environment of cardholders.
Thus, in the latest version of the PCI standard, requirement 8.3 regulates the need to use multi-factor authentication for all users, regardless of whether they are in the office or receive remote access to the system, as well as for administrators with privileged access.
Therefore, even if the organization already uses two-factor authentication for remote users, this organization will now have to apply multi-factor authentication to all users who have access to systems, including when users are in the office.