Two major changes to the payment card industry data security standard earlier this year have given companies more time to adjust existing procedures for credit card safety.
In April’s version 3.2, the PCI Security Standards Council decided to extend the deadline for removing SSL encryption requirements from environments from this summer to 2018, giving companies more time to move away from this commonly utilized encryption scheme and test alternate security routines. The postponement came after pushback from the industry stressing how intertwined SSL was with business practices. While migration is not necessary for two more years, the Council is encouraging companies with plans for earlier installation to continue their original plans without postponement.
“The Council wanted to acknowledge that removing SSL could cause production issues and have a major impact on many merchants, and therefore they wanted organizations to be able to go through the proper diligence, to do the testing necessary to migrate away from SSL to TLS, which is the SSL replacement,” said Mark Burnette, a shareholder with LBMC Information Security.
A second change mandates multi-factor authentication for all PCI administrators, requiring not only credentials, but also another factor, such as a code, token, or biometric, to verify access. Previously, multi-factor authentication had been required only when connecting remotely, but with the change to the PCI requirements, it will now apply to all administrators accessing the cardholder data environment regardless of their method of access. Though it may be inconvenient to the workflow at PCI-compliant institutions, the new procedure proves a victory from a security standpoint, making it more challenging for external parties with access to credentials to come into contact with sensitive information.
“The good news with this new requirement is that the PCI requirements give organizations a while to work this significant change into their environments. The PCI standard provides organizations until February 2018 to implement multi-factor authentication for administrators,” Burnette said.
Together, the amendments made to the existing PCI standards aim to ensure better security for payment cards, payment-card-focused organizations, and cardholders, gradually evolving the standard over the coming months and years.