The new PCI DSS 3.2 standards – New authentication requirements for cardholder data. Poor password management – including the continued reliance on default, stolen, weak and non-unique passwords – is a key factor in more than 80% of hack-driven breaches, according to Verizon’s 2017 Data Breach Investigation Report. In response to growing waives of fraud and data leakage, the PCI Security Standards Council, the global payment card authority, is updating industry-wide standards to improve authentication, third party accountability and software design. Payment Card Industry Data Security Standard (PCI DSS 3.2) went into effect February 1, 2018 – writes Dirk Denayer, Business Solutions Manager at VASCO Data Security.
One of the standard’s key changes is to authentication. PCI DSS 3.2’s Requirement 8.3 makes multi-factor authentication (MFA) mandatory for all involved in payment card processing: merchants, processors, acquirers, issuers, service providers, and any entities storing, processing or transmitting cardholder data and/or sensitive authentication data.
The revised standard is a response to breaches of major retailers – including Target and Home Depot in the US, which compromised the payment card information of 130+ million consumers. This fall’s Equifax “mega-breach” further underscored the urgent need for more and better protections, both for consumers and for all in the transaction chain.
Updated Multi-Factor Authentication and Cardholder Data Environment Policies
The newer “multi-factor authentication” term replaces the previously-used “two-factor authentication” requirement. This may seem a minor change, but it increases and clarifies the standard’s minimum requirements for authentication.
Another important change is the scope of access points covered by the standard’s authentication requirements, which now expands to include all who have “non-console administrative access,” to the Cardholder Data Environment (CDE). This means that multi-factor authentication is now required for everyone accessing data over a network rather than via a direct physical connection, including internal and external networks. It applies to general users, administrators and third parties such as vendors (for support and maintenance) with remote access to the network – wherever that access might ultimately result in access to the CDE. Think of this as the Target HVAC clause.