What’s new in PCI DSS 3.2 Requirement 8?
US gangster Willie Horton said when he was asked why he robbed banks, “That’s where the money is.” Digital fraudsters share the same motivation nowadays and this is how merchants are turned to be the targets for financial scams.
These are some numbers for illustration: According to PrivacyRights.org, more than 898 million records with sensitive information have been breached from 4,823 data breaches made public between January 2005 and April 2016.
Additionally, risky behavior may expose cardholders’ personal data. A survey of businesses in the U.S. and Europe reveals activities that may put cardholder data at risk:
81% store payment card numbers.
73% store payment card expiration dates.
71% store payment card verification codes.
57% store customer data on the payment card magnetic strip.
16% store other personal data.
Source: Forrester Consulting: The State of PCI Compliance (commissioned by RSA/EMC)
For the prevention of financial fraud and its serious outcomes, it is crucial to enhance cardholders’ data security and to fully protect the payment data. PCI DSS was created for that purpose.
What is the PCI DSS Standard?
PCI DSS stands for Payment Card Industry Data Security Standard (PCI DSS). It is an information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB.
Originally, it was a collaboration between Visa and MasterCard; however, other card companies that operate in the US have endorsed the PCI DSS within their respective programs.
This standard is designed to create common industry security requirements. It consists of 12 basic requirements and is supported by over 200 detailed sub-requirements.
Some facts about PCI DSS Standard
- This standard has been developed to encourage and enhance cardholder data security and facilitate broad adoption of consistent data security measures globally
- The individual payment brands enforce compliance with the PCI DSS and determine on any non-compliance penalties
- Companies who want to be PCI DSS compliant must undergo a security audit by an independent body
- PCI DSS applies to all entities involved in payment card processing—including merchants, processors, financial institutions, and service providers, as well as all other entities that store, process, or transmit cardholder data and/or sensitive authentication data.
Multi-factor authentication as one of the biggest changes coming in PCI DSS 3.2.
Multi-factor authentication (MFA) is the concept of requiring a user to provide two or more forms of self-identification for authorization to access a system. Typically, these are:
- What you know: password or passphrase
- What you have: token, smart card, or access to a mobile device
- What you are: fingerprint, retina, or other biometric verification
According to PCI Security Standards Council Chief Technology Officer, Troy Leach: “The significant change in PCI DSS 3.2 adds multi-factor authentication as a requirement for any personnel with administrative access into the cardholder data environment, so that a password alone is not enough to verify the user’s identity and grant access to sensitive information, even if they are within a trusted network.”
Previous PCI DSS versions required two factors authentication for any untrusted, remote access into cardholder data environment.
Now let’s dig into things and zoom in on Requirement 8 which covers secure access to cardholder data.
Article 8.1.5 clarifies that no matter their relation to the organization, ALL third parties who access cardholder data environment (CDE) remotely, are required to use multi-factor authentication, rather than only vendors.
A far larger change has been introduced in requirement 8.3.that has been broken down into 2 sub-requirements. A new sub article has been added which greatly expands the need for MFA for individuals accessing CDE from within the office.
Requirement 8.3.1 – New Requirement requires MFA for all personnel who access the cardholder data – i.e all local access to cardholder data environment systems and databases that hold cardholder data. Requirement 8.3.1 is to be effective from February 1, 2018.
Requirement 8.3.2 – requires MFA for all personnel with remote access to cardholder data environment.
To conclude, the latest version of PCI 8.3 requires organizations to extend multi-factor authentication to all users, whether in the office, or accessing systems remotely, as well as privileged access for administrators, so even if an organization already has two factor authentication for remote users, they will now need to extend to users accessing systems when in the office as well.