The PCI Security Standards Council (PCI SSC) says its new version 3.2 will be used by payment application vendors to ensure their software products will protect payment card data from theft. That’s why the application of multi-factor authentication is an important step in the development of the latest PCI DSS standards.
The council says the introduction of the new version is a great opportunity for any company handling credit card data to check and evaluate how it accepts payments and whether it can reduce the risk to its customers by changing business practices relating to cardholder data exposure.
The changes within version 3.2 also invite companies to evaluate newer payment technologies such as tokenisation and encryption (please note IP Solutions has been leveraging both approaches for ten years!).
The council says in its review that it closely evaluated additional multi-factor authentication for administrators within a Cardholder Data Environment (CDE); in so doing it incorporated some of the Designated Entities Supplemental Validation (DESV) criteria for service providers; similarly it clarified masking criteria for primary account numbers (PAN) when displayed; and included the updated migration dates for SSL/early TLS that were published in late 2015.
Part of the council’s multi-factor authentication was based on its analysis of recent cardholder data breaches and PCI DSS compliance observations which reveal that many organisations still view the act of compliance as an annual exercise and as such do not have processes in place to ensure that PCI DSS security controls are continuously enforced.
It says the process of adhering to PCI DSS requirements is what is meant to be “PCI compliant”. The Report on Compliance (ROC) is a way to confirm that the steps are in place and can evolve as an organisation changes over a period.
These changes for service providers will provide greater assurance that security will remain as expected for both the provider and the customers that rely on these services. Again this reinforces the value of multi-factor authentication within the PCI DSS security standards.