The PCI Security Standard Council has released a new version of the PCI DSS, a data security standard used by the payment card industry, including banks and credit card companies. Released on 28 April, the PCI DSS 3.2 version has been devised to strengthen rules for data access, protecting merchants, network operators and users.
The most significant change in the new standard is the requirement for multi-factor authentication (MFA) for any administrator accessing the cardholder data environment, whether they are logging in from a trusted or untrusted network. This is in contrast to the previous versions of the standard, which only required MFA for administrators logging on from an untrusted network – for example, if they were working remotely.
Clearly this is a big change for PCI service providers, and will require a much more widespread deployment of MFA technology. The good news is that MFA technology has progressed significantly in recent years, and there are many options beyond traditional physical token-based solutions, which are cumbersome for users and expensive to deploy and administer. Modern next-generation MFA solutions, such as PingID, can make use of users’ smartphones to deliver a secure authentication system which is also highly convenient, even enjoyable, to use – the key to embedding security technology successfully is hitting the sweet spot between security and convenience, and mature technology now exists to deliver on this aspiration.
The previous version, PCI DSS 3.1, will expire on 31 October 2016.
With the release of the new PCI DSS, the PCI Security Standard Council is actively recommending that organizations review the management of access to their cardholder data environments. Whilst the new standards may require significant changes to authentication and management processes, the council strongly suggests organizations study these new security practices and standards, even if it is not absolutely mandatory in their industry.