Enter to open, tab to navigate, enter to select
PCI SSC Publishes Updated Data Security Standard
Practical Law Legal Update w-002-1949 (Approx. 3 pages)
PCI SSC Publishes Updated Data Security Standard
by Practical Law Intellectual Property & Technology
| Published on 29 Apr 2016 • USA (National/Federal) |
The Payment Card Industry Security Standards Council (PCI SSC) published a new version of its data security standard requiring payment card administrators to use multi-factor authentication when accessing the cardholder data environments, among other requirements.
The Payment Card Industry Security Standards Council (PCI SSC) published a new version of its data security standard (PCI DSS) on April 28, 2016, to address growing threats to customer payment information. The new PCI DSS version 3.2 changes include:
- Requiring multi-factor authentication for any personnel with administrative access to cardholder data environments.
- Revised sunset dates for Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) communication protocols.
- Additional security validation steps for service providers and others.
- Effective February 1, 2018, new service provider requirements to:
- perform penetration testing on segmentation controls at least every six months;
- perform reviews at least quarterly to confirm that personnel are following security policies and operational procedures;
- have executive management establish responsibilities for the protection of cardholder data and a PCI DSS compliance program;
- implement processes to timely detect and report critical security control system failures;
- include PCI DSS requirement verification in change management processes; and
- maintain a documented cryptographic architecture description.
PCI SSC encourages companies that accept, process, or receive payments to adopt this new standard as soon as possible. The previous version, PCI DSS 3.1, expires October 31, 2016.
The complete PCI DSS 3.2 is available in the PCI SSC Document Library.