The PCI Security Council, which said in early March that its’ new version (3.2) would be out sometime in April, is now saying that April 28 is the likely day and that the new rules would get stricter about authentication as well as service providers.
In a blog post Tuesday (April 19), PCI Chief Technology Officer Troy Leach said the new rules will add “multi-factor authentication as a requirement for any personnel with administrative access into the cardholder data environment, so that a password alone is not enough to verify the user’s identity and grant access to sensitive information, even if they are within a trusted network.”
Leach said this will require this additional authentication to employees who had before had to deal with it.
“The most important point is that the change to the requirement is intended for all administrative access into the cardholder data environment, even from within a company’s own network. This applies to any administrator, whether it be a third party or internal, that has the ability to change systems and other credentials within that network to potentially compromise the security of the environment,” Leach said. “This will not impact machine authentication where one system is communicating with another as it is intended for personnel authentication, nor will it impact administrators accessing directly from the console.”
New rules will also be imposed on service providers that in any way touch cardholder data.
“An organization could go to great lengths to protect their internal network only to see a third party negate all of their effort as indicated in data breach reports. That is why several new requirements were identified for service providers in PCI DSS 3.2. These new requirements should already be part of service providers’ efforts to successfully manage the effectiveness of security within the cardholder data environment,” Leach said. “These include actions such as maintaining a documented description of the cryptographic architecture and reporting on failures of critical security control systems. In addition, there’s a new requirement for executive management to establish responsibility for protection of cardholder data and the PCI DSS compliance program.”
The blog post did not address the date of the new release, but PCI Council spokesperson Laura Johnson said that the council is anticipating the release being published April 28.
With the FTC having recently announced plans to investigate PCI procedures and processes, any changes to PCI is going to generate greater than normal attention and review.