Business Record - Iowa Biz

Dave Nelson, CISSP, is president and CEO of Integrity.

If you accept credit cards as part of your organization's operations, you should take note that the PCI Council recently released version 3.2 of the Payment Card Industry – Data Security Standard (PCI-DSS). There are quite a few changes and clarifications along with some new requirements. Before I cover what’s new with v3.2, let’s review who needs to be PCI compliant.

Who is required to be PCI compliant

If your business processes, stores or transmits any cardholder data, you must be PCI compliant. What this means is if you accept credit cards for payment via a website, telephone, in person, etc. you must comply. Even if you simply have the card numbers on file but don’t actually accept payments, you must comply. This is why the standard covers anyone who processes, stores or transmits cardholder data.

There are quite a few levels of compliance. In essence if you handle fewer than 6 million transactions annually you typically are able to self-certify using a Self-Assessment Questionnaire (SAQ). There are different versions of the SAQ, which are used depending on how your organization handles credit card data.

Often organizations believe they have fully outsourced their payment processing and therefore have no internal PCI compliance requirements. This is absolutely false. There are still requirements you must meet and you should be completing a Self-Assessment Questionnaire to avoid penalties and taking on additional risk of financial liability from fraudulent charges. For those who do have responsibility to comply with PCI-DSS v3.2, here are some of the changes coming with the new version. 

The most impactful PCI Compliance updates

The biggest change is a new requirement that anyone with non-console administrative access to the cardholder data environment (CDE) must use multi-factor authentication.  The PCI Council definition of non-console administrative access is “Refers to logical access to a system component that occurs over a network interface rather than via a direct, physical connection to the system component. Non-console access includes access from within local/internal networks as well as access from external, or remote, networks.” This means even local domain or network administrators who are not sitting at the keyboard of the system they are administering must be authenticated via multiple factors. 

This is a very big change.  It will require most organizations to implement additional controls and possibly re-architect some of their infrastructure to allow this to occur. This becomes effective Feb. 1, 2018.

Another evolving requirement is that your change management process must address how any changes to the CDE will impact PCI requirements.  In the past, the change simply had to be addressed through the process. Now, an impact assessment must accompany this change.  For some changes this will be simple and easy to document. Others will require more detailed documentation. This should have been done in the past but it frequently was very informal. This will force the impact of these changes to be formally discussed and documented. This becomes a requirement on Feb. 1, 2018.

Many of the other changes are simple clarifications that either reinforce the existing requirements or provide additional flexibility in how the requirements can be met. The majority of these changes go into effect immediately as all assessments after Oct. 31, 2016 will use the v3.2 requirements. Compliance with PCI-DSS is becoming harder and harder. Organizations should expect additional information security and privacy legislation from the government as well as enhanced requirements from private sector groups.

Dave Nelson is president and CEO of Integrity. 

Email: dave.nelson@integritysrc.com

Twitter: @integritySRC | @integrityCEO

Website: integritysrc.com