PCI DSS Update: What to ExpectNew Version to Require Multifactor Authentication for Admins
Within the next two months, the PCI Security Standards Council will release version 3.2 of its PCI Data Security Standard to require that all administrators with access to card data networks use multifactor authentication.
The new requirement is needed right now because breaches are prevalent, and merchants need clarification about what is expected of them, says Troy Leach, chief technology officer of the council.
But the council is baking in compliance time, he adds, likely giving merchants 18 months to comply with the new requirements. And has yet to announce what the new requirements actually are, he adds.
"As with all of our new requirements, there will be a long sunrise date, so people can make the right investment and prepare their networks for that additional security requirement," Leach says during this interview with Information Security Media Group.
The compliance date for implementing administrator-level multifactor authentication, he says, will be published within the standard.
"We'll make that announcement very shortly," Leach says. "But we basically want to emphasize that the change is for administrators that are going to have a higher privilege within the card data networks, which would allow them to possibly change systems and other credentials within that network that could compromise security of the environment. So, we are looking at any type of administrator, whether it be a third party or internal, that would have the ability to change privileges to create new access and new ways that people could route cardholder data."
The release of this newest version comes early, says Leach adds - the council typically issues its newest PCI DSS version every three years during the fourth quarter of the third year.
Encryption Updates a 'Must-Have'
Another reason for the new version of the standard, he says, is to ensure the industry is aware that it has more time to comply with new encryption requirements that were announced at the end of last year (see PCI Council Extends Encryption Deadline).
The original compliance date for a transition from SSL [Secure Sockets Layer] encryption was June 2016. Now, under the requirements of 3.2, the compliance date is not until 2018, he says.
SSL is an outdated encryption protocol, which the National Institute of Standards and Technology and other standards bodies have already said organizations should be moving away from, Leach explains.
"But we recognize that there are some business challenges and technical challenges within the financial industry, where we needed to extend that date further," Leach adds. "And so one of the reasons that we have an early release, rather than the expected November 2016 release [for the update to the DSS], is to accommodate that time between now and June."
Still, many organizations may not be aware that the compliance date has shifted, he says.
During this interview (link above), Leach also discusses:
- Why the PCI DSS is now considered to be a "mature" standard, which requires fewer new requirements;
- How the migration to EMV in the U.S., as well as merchants' investments in tokenization and end-to-end encryption, swayed the council to include fewer new card security requirements in version 3.2; and
- What businesses should be doing to prepare for the new multifactor authentication and encryption requirements to come in the updated version of the DSS.
As part of his role with the council, Leach partners with council representatives, PCI participating organizations and industry leaders to develop comprehensive standards and strategies to secure payment card data and the supporting infrastructure. He is a congressional subject-matter expert on payment security and is the current chairman of the council's Standards Committee. Before joining the PCI Council, Leach held various positions in IT management, software development, systems administration, network engineering, security assessment, forensic analytics and incident response for data compromise.