PCI update: Are you ready?

June 27, 2018//Ellen Neveux

Last Updated: November 18, 2020

An updated version of the Payment Card Industry Data Security Standard (PCI DSS) must be adopted by any enterprise that interacts with payment cards by June 30, 2018. PCI DSS is a standard set for enterprises that gather, store, and use customers’ payment card data when a purchase of a product or service is made. Meeting the compliance standards set under PCI DSS helps safeguard customer data, minimizes risks of losing payment card data, and losing information to cybercriminals. The PCI DSS system includes security management, policies and procedures, network architecture, software designs, and more.

What PCI DSS does

The importance of PCI DSS cannot be stressed enough. For example, an identity protection company found that in just 2017 alone, 14.2 million credit card numbers were exposed, which is an 88% increase over 2016. What’s worse is that it is expected that this number will continue to increase for 2018. That’s where PCI DSS can come and help. The goal of the adhering to PCI DSS is to hold merchants to certain standards when collecting, processing, and transmitting consumer data. Since PCI DSS’s inception in December 2004, it has become the standard for merchants that interact with payment card information.

PCI DSS has gotten a few facelifts during its 14-year life to reflect the emerging technologies, updated risks and threats, and has also been edited to add clarity and flexibility. The June 30, 2018 update is PCI DSS 3.2 and includes important changes that further protect consumer’s sensitive information. In order to ensure PCI DSS 3.2 compliance, organizations must meet a number of different requirements. Some of the objectives mandated in the newest version are:

  • Build and maintain a secure network and system: secure networks must be implemented and regularly maintained in order to carry out safe transactions.
  • Protect cardholder data: cardholder information must be kept secure whenever and wherever it gets stored. If transmitted publicly, it must be encrypted.
  • Maintain a vulnerability management program: all systems should have anti-virus and anti-spyware programs that are regularly updated.
  • Implement strong access control measures: restricted access to systems should be exercised.
  • Regularly monitor and test networks: all networks should be regularly monitored and tested in order to make sure that all systems are updated and aren’t prone to vulnerabilities.
  • Maintain a policy that addresses information security for all personnel: a complete information security policy should be formulated and maintained.

What’s being updated?

PCI DSS 3.2 was originally published online in April 2016, with the expected enforcement date to be February 2018. However, enforcement of the changes to PCI DSS 3.2 begins June 30, 2018. Enterprise organizations are expected to be ready for these changes since they have had over two years to get things in line. Failure to meet compliance needs set by PCI DSS can result in the inability to accept credit cards and large fines. On top of that, it may also lead to a negative reputation with consumers. Non-compliance can easily be the downfall of a brand.

According to the PCI Security Standards Council, there are a couple of important changes that must be made by organizations for PCI DSS 3.2:

  • Multi-factor authentication: this will become a requirement for any person with administrative access (both internal and external) into the cardholder data environment. Each person that needs access to this information must provide two or more credentials to gain access to this part of the network.
  • A more secure version of transport layer security (TLS): TLS is an updated and more secure version of Secure Sockets Layer (SSL). Both TLS and SSL refer to the standard technology used for keeping Internet connections secure while safeguarding sensitive data that is being sent between two networks. In other words, it’s what’s used to encrypt sensitive information. PCI DSS 3.2 requires that all organizations transition to a more secure version of TLS; specifically TLS 1.1, but 1.2 is highly recommended. Earlier versions of either TLS are no longer considered to be secure, while all versions of SSL must be discontinued.

Why update?
Post-cyberattack, enterprises frequently find that they were not completely compliant with the necessary industry standards that may have protected them in the first place. Instead, enterprises must be proactive and compliant in the first place by adhering to the necessary standards and possible updates that may occur along the way. One of the biggest accomplishments of being compliant with PCI DSS 3.2 is protecting an enterprise and its clients from events, like cyberattacks, from happening.

On the other hand, some organizations may already be up-to-date on all PCI DSS 3.2 requirements, but it is always important to double-check that standards are being met. The PCI Security Standards Council says the goal of this update is to establish “security processes that help prevent, detect, and respond to attacks that can lead to data loss.” The implementation of PCI DSS might be the difference between a cyberattack and a regular day at work.

About SecureLink

Our sole focus is secure third-party remoteaccess. For highly regulated enterprise organizations, SecureLink Enterprise has pioneered a secure remote access platform. SecureLink for enterprise allows an organization to identify, control, and audit third-party vendors. For vendors, SecureLink is the gold standard remote access support platform because it is easy, efficient, and ensures compliance and reduces liability when supporting customers.

close close