PCI DSS 3.2 lands, urges you to make haste slowly
Standard suggests death for old TLS … by the generous deadline of July 2018
The 2016 upgrade to the PCI's DSS standard, 3.2, has landed.
As foreshadowed in February, the PCI Security Standards Council has eschewed “big bang” updates in favour of more digestible revisions to the standard.
And those who adhere to a purist view of infosec probably won't be pleased. For example, as explained by the PCI SSC's CTO Troy Lynch here, organisations should be migrating away from SSL and older TLS, but there remains two years for that transition to complete.
Compliance with the TLS and SSL requirements is mandated from July 2018.
To make it harder for attackers to use administrative credentials to access systems, DSS 3.2 requires multi-factor authentication for sysadmins.
Two-factor authentication had previously been a requirement for remote access into the cardholder data environment; now, even sysadmins with local access to the environment will need more than a password to log in.
Multi-factor authentication implementation has to be implemented no later than February 1, 2018.
There are new requirements for service providers under “Designated Entities Supplemental Validation (DESV)”.
These include detection mechanisms to pick up failures of “critical” security controls; bi-annual penetration tests; and personnel compliance with security policies has to be checked quarterly.
Service provider executives are also required to demonstrate an understanding of PCI DSS compliance. ®