Published earlier this year, PCI DSS 3.2 is the latest version of the standard we all know and love (well, know at least) and has been designed to ensure that security standards are developing and innovating at the same rate as the technology we use and the threats we face.
If you’re responsible for compliance at your contact centre, here’s everything you need to know about the changes…
So, What’s New?
Many of the changes found in PCI DSS 3.2 are simply extensions to, or expansions of, the requirements that were already featured in 3.1; however, there are some greater themes.
The biggest of these is making sure that organisations are working on PCI DSS compliance all year round, rather than only getting everything shipshape for their yearly assessment.
For example, new requirements state that organisations must provide quarterly reviews demonstrating that employees understand and are following the correct security procedures; that a change-management process must be implemented to ensure any changes to a system (such as new apps, programs or devices) are monitored and compliant; and that DESV requirements will now be incorporated into PCI DSS.
There is also a much bigger emphasis on ensuring service providers do not compromise the security of their customers and that their compliance can also be demonstrated on a regular basis. For example, service providers will now have to report system failures, establish a structured PCI DSS compliance programme (with defined responsibilities at executive management level) and perform penetration testing every six months at a minimum.
Lastly, one of the biggest changes from PCI DSS 3.1 is that multi-factor authentication will now be a requirement for all non-console administrative personnel, rather than just those accessing data remotely.
What is DESV?
DESV, or Designated Entities Supplemental Validation, is like a more advanced version of PCI DSS that is sometimes required by payment brands or acquirers to ensure maximum data security on a regular basis (rather than just for PCI DSS assessments).
While DESV assessments will still only be necessary if requested by an acquirer or payment brand, incorporating the regulations into PCI DSS 3.2 is intended to encourage organisations to see whether the standards could be applied to their own systems, and to promote year-round vigilance.
What is Multi-Factor Authentication?
Multi-factor authentication is the process by which someone has to supply two or more examples of authorisation or identification in order to be granted access to sensitive material or systems. These can include passwords, security cards, fobs or biometrics.
In previous iterations of PCI DSS, personnel have been required to undergo two-factor authentication when acting remotely, but PCI DSS 3.2 now states that multi-factor authentication will be a requirement for all non-console personnel accessing data or changing systems from anywhere, including within their organisation’s trusted network or data safe zone.
Changing the name from two-factor to multi-factor has been done to demonstrate that two levels of authentication are now the bare minimum.
When is All This Happening?
While the previous PCI DSS 3.1 officially retired on October 31st, the changes aren’t as scary as that date might suggest; organisations have until February 1st 2018 to implement all 3.2 requirements and any changes will be considered ‘best practice’ until then (although the PCI Security Standards Council does recommend adopting the standard ASAP for your own security and peace of mind).
What Do I Need to Do Now?
The good news is that, if you’re already working with us here at PCI Pal, a large part of the work is done as we are already fully PCI DSS 3.2 compliant.
If not, there’s no need to worry unduly; as we mentioned before, all organisations have until 1st February 2018 to make sure they’re compliant, so you have plenty of time to implement any necessary changes. We would, however, recommend getting started as soon as possible – partly because the new requirement for more regular monitoring and reporting will make upcoming PCI DSS assessments a lot easier.
It’s always good practice to make sure your security systems and procedures are as up-to-date as possible and functioning as they should be, so take this opportunity to review and reassess the way your contact centre handles and stores data and the way this data is accessed.
Reevaluate your security systems and start testing them regularly, both to get into the habit of compliance and to keep your data as secure as possible. If you do use third-party service providers, it’s also a good idea to check that they’re aware of and implementing the new regulations that apply to them, to ensure that they’re protecting your customers’ data as effectively as you are.
To find out more about the new requirements that will be coming in with PCI DSS 3.2, or to discuss our suite of secure payment solutions, please get in touch with our expert consultants today.
This guide is the second chapter of our eBook ‘Starting Your PCI Compliance Journey‘.