[BreachExchange] How data breaches have driven the updated PCI standard

[Audrey McNeil]

http://www.hotelmanagement.net/tech/how-data-breaches-have-driven-updated-pci-standard

The Payment Card Industry Security Standards Council published a new
version of its data security standard, which businesses around the world
use to safeguard payment data before, during and after a purchase is made.

PCI Data Security Standard version 3.2 replaces version 3.1 to address
growing threats to customer payment information. Companies that accept,
process or receive payments should adopt it as soon as possible to prevent,
detect and respond to cyber attacks that can lead to breaches. Version 3.1
will expire on Oct. 31.

“The payments industry recognizes PCI DSS as a mature standard, so the
primary changes in version 3.2 are clarifications on requirements that help
organizations con rm that critical data security controls remain in place
throughout the year, and that they are effectively tested as part of the
ongoing security monitoring process,” said PCI Security Standards Council
GM Stephen Orfei. “This includes new requirements for administrators and
services providers and the cardholder data environments they are
responsible to protect. PCI DSS 3.2 advocates that organizations focus on
people, process and policy, with technology playing an important role in
reducing the overall cardholder data footprint.”

The update to the standard is part of the regular process for ensuring the
PCI DSS addresses current challenges and threats. This process factors in
industry feedback from the PCI Council’s 700+ global participating
organizations, as well as findings from data breach reports and changes in
payment acceptance.

“We’ve seen an increase in attacks that circumvent a single point of
failure, allow- ing criminals to access systems undetected, and to
compromise card data,” said Troy Leach, PCI Security Standards Council
chief technology officer. “A significant change in PCI DSS 3.2 includes
multifactor authentication as a requirement for any personnel with
administrative access into environments handling card data.”

Previously, this requirement applied only to remote access from untrusted
networks. “A password alone should not be enough to verify the
administrator’s identity and grant access to sensitive information,” Leach
said. “Additionally, service providers, specifically those that aggregate
large amounts of card data, continue to be at risk. PCI DSS 3.2 includes
updates to help these entities demonstrate that good security practices are
active and effective.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160729/b8472175/attachment.html>