In April’s version 3.2, the PCI Security Standards Council decided to extend the deadline for removing SSL encryption requirements from environments from this summer to 2018, giving companies more time to move away from this commonly utilized encryption scheme and test alternate security routines. The postponement came after pushback from the industry stressing how intertwined SSL was with business practices. While migration is not necessary for two more years, the Council is encouraging companies with plans for earlier installation to continue their original plans without postponement.
“The Council wanted to acknowledge that removing SSL could cause production issues and have a major impact on many merchants, and therefore they wanted organizations to be able to go through the proper diligence, to do the testing necessary to migrate away from SSL to TLS, which is the SSL replacement,” said Mark Burnette, a shareholder with LBMC Information Security.
A second change mandates multi-factor authentication for all PCI administrators, requiring not only credentials, but also another factor, such as a code, token, or biometric, to verify access. Previously, multi-factor authentication had been required only when connecting remotely, but with the change to the PCI requirements, it will now apply to all administrators accessing the cardholder data environment regardless of their method of access. Though it may be inconvenient to the workflow at PCI-compliant institutions, the new procedure proves a victory from a security standpoint, making it more challenging for external parties with access to credentials to come into contact with sensitive information.