Skip to content

Compliance Tips for PCI DSS 3.2

The looming PCI DSS 3.2 update deadline could present you with challenges or opportunities to protect your data and comply with regulations, depending on your current preparedness.

Adhering to version 3.2 of the PCI Data Security Standard assures your customers that their data is safe and assures regulators that your organization’s security is up to date, thereby allowing your company to keep doing what it does.  

But if your company processes payments and is not PCI-compliant, you could lose customers, incur fines, and possibly be prohibited from accepting credit cards. A mandate for migrating from SSL and early TLS presents similar opportunities and poses comparable risks.

Here are three things to know about the 2018 deadline for the PCI DSS update to ensure your company is compliant and as protected as it can be from security breaches.

1. February 1, 2018, is the effective date for all new requirements introduced in PCI DSS version 3.2.

The PCI Standards Council released version 3.2 in April 2016. But the council set a deadline of January 31, 2018, so that companies would have “several business cycles to budget, plan, prepare and implement” the significant policy and procedural changes necessary to comply, according to a Bank Info Security article on new requirements for service providers.

In summarizing version 3.2, Bank Info Security notes that service providers must:

  • Detect and respond to critical failures in a formal and prompt way
  • Conduct regular penetration tests on segmentation controls
  • Perform at least quarterly reviews of the personnel who are responsible for ensuring the organization is adhering to security policies and procedures
  • Establish responsibility for protecting the card data environment through an executive/management level process
  • Provide more documentation and evidence that demonstrate service providers are aware of, and properly managing, the type of cryptography that is being used by the organizations they service

Several of the requirements of the PCI DSS update were published with a note stating, “This requirement is a best practice until 31 January 2018, after which it becomes a requirement.” So, while compliance is required beginning February 1, implementation has been urged to take place sooner.

“From a security viewpoint, best practice is what is needed to address the threat. All organizations should consider implementing these best practices into their environment as soon as possible, even if they are not required to validate to them,” wrote Gill Woodcock, senior director of certification programs for the PCI Security Standards Council (PCI SSC), in a blog post on keeping up to date with PCI DSS dates.

2. The grace period for complying with new encryption protocols expires on June 30, 2018.

The PCI SSC announced in April 2015 that Secure Sockets Layer (SSL) could not be used as a security control after June 30, 2016, but the council revised and updated sunset dates so that companies would have longer to comply. You now have until June 30, 2018, to stop using SSL and early Transport Layer Security (TLS), and will have to use at least TLS 1.1 thereafter.

Once the epitome of evolved protection, SSL and early TLS are nearing extinction because their weaknesses have been exposed. SSL and early TLS date back to the 1990s but failed to keep up with more sophisticated attacks.

“There are many serious vulnerabilities in SSL and early TLS that left unaddressed put organizations at risk of being breached,” wrote Laura K. Gray, senior director of communications for the PCI SSC in a blog post on saying goodbye to SSL and early TLS. “The widespread POODLE and BEAST exploits are just a couple examples of how attackers have taken advantage of weaknesses in SSL and early TLS to compromise organizations.”

Though online and e-commerce environments using SSL and early TLS are most susceptible to the SSL exploits and attacks, the PCI DSS migration date applies to all environments, except for payment terminals (POIs) (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any known exploits for SSL and early TLS.
The National Institute of Standards & Technology (NIST) says that SSL and early TLS cannot be patched or fixed to provide adequate protection. Their vulnerabilities can be classified in terms of protocol, implementation, or configuration.

3. Upgrading to stronger encryption provides better protection for data in flight.

The PCI SSC requires migration to TLS 1.1, but recommends going to TLS 1.2.This is the only way to protect against current protocol vulnerabilities.

Patching TLS software against implementation vulnerabilities helps as well, so the PCI SSC urges you to keep your TLS software up to date.

Also, configuring TLS securely—for example, ensuring that secure TLS cipher suites and key sizes are supported—will protect you against configuration vulnerabilities.

Combining all three of these measures will protect you against protocol, implementation, and configuration vulnerabilities. Using Multi-Factor Authentication (MFA) that does not utilize SMS texts will provide additional protection.

Protecting against data breaches and complying with regulations require constant adjustment. Knowing these three changes about the 2018 deadline for the PCI DSS update will help you protect and comply so that your company can focus on doing what it does best.

Want to learn more about the PCI DSS 3.2 update and what you must do to prepare? Contact us for a free consultation.

 

CyberGuard Compliance | Cybersecurity Resource Download