« The costs of the label game | Main | How the presidential election could impact your succession plans »

PCI compliance v3.2 - what's new

Dave Nelson, CISSP, is president and CEO of Integrity.

PCI Compliance Version 3.2

If you accept credit cards as part of your organization's operations, you should take note that the PCI Council recently released version 3.2 of the Payment Card Industry – Data Security Standard (PCI-DSS). There are quite a few changes and clarifications along with some new requirements. Before I cover what’s new with v3.2, let’s review who needs to be PCI compliant.

Who is required to be PCI compliant

If your business processes, stores or transmits any cardholder data, you must be PCI compliant. What this means is if you accept credit cards for payment via a website, telephone, in person, etc. you must comply. Even if you simply have the card numbers on file but don’t actually accept payments, you must comply. This is why the standard covers anyone who processes, stores or transmits cardholder data.

There are quite a few levels of compliance. In essence if you handle fewer than 6 million transactions annually you typically are able to self-certify using a Self-Assessment Questionnaire (SAQ). There are different versions of the SAQ, which are used depending on how your organization handles credit card data.

Often organizations believe they have fully outsourced their payment processing and therefore have no internal PCI compliance requirements. This is absolutely false. There are still requirements you must meet and you should be completing a Self-Assessment Questionnaire to avoid penalties and taking on additional risk of financial liability from fraudulent charges. For those who do have responsibility to comply with PCI-DSS v3.2, here are some of the changes coming with the new version. 

The most impactful PCI Compliance updates

The biggest change is a new requirement that anyone with non-console administrative access to the cardholder data environment (CDE) must use multi-factor authentication.  The PCI Council definition of non-console administrative access is “Refers to logical access to a system component that occurs over a network interface rather than via a direct, physical connection to the system component. Non-console access includes access from within local/internal networks as well as access from external, or remote, networks.” This means even local domain or network administrators who are not sitting at the keyboard of the system they are administering must be authenticated via multiple factors. 

This is a very big change.  It will require most organizations to implement additional controls and possibly re-architect some of their infrastructure to allow this to occur. This becomes effective Feb. 1, 2018.

Another evolving requirement is that your change management process must address how any changes to the CDE will impact PCI requirements.  In the past, the change simply had to be addressed through the process. Now, an impact assessment must accompany this change.  For some changes this will be simple and easy to document. Others will require more detailed documentation. This should have been done in the past but it frequently was very informal. This will force the impact of these changes to be formally discussed and documented. This becomes a requirement on Feb. 1, 2018.

Many of the other changes are simple clarifications that either reinforce the existing requirements or provide additional flexibility in how the requirements can be met. The majority of these changes go into effect immediately as all assessments after Oct. 31, 2016 will use the v3.2 requirements. Compliance with PCI-DSS is becoming harder and harder. Organizations should expect additional information security and privacy legislation from the government as well as enhanced requirements from private sector groups.


Dave Nelson is president and CEO of Integrity. Dave Nelson 2015 IowaBiz Blog

Email: dave.nelson@integritysrc.com

Twitter: @integritySRC | @integrityCEO

Website: integritysrc.com


Dave thanks for sharing this. I have heard a lot of misinformation on PCI and this clears that up quite a bit.

Thanks Tom…I’m glad we are able to help make information security topics less confusing.

The comments to this entry are closed.

« The costs of the label game | Main | How the presidential election could impact your succession plans »

Technorati Bookmark: PCI compliance v3.2 - what's new

This site is intended for informational and conversational purposes, not to provide specific legal, investment, or tax advice.  Articles and opinions posted here are those of the author(s). Links to and from other sites are for informational purposes and are not an endorsement by this site’s sponsor.