PCI To Publish New Version April 28 With More Strict Authentication, Service Provider Rules

Woman shopping using laptop at home.close-up

“The most important point is that the change to the requirement is intended for all administrative access into the cardholder data environment, even from within a company’s own network. This applies to any administrator, whether it be a third party or internal, that has the ability to change systems and other credentials within that network to potentially compromise the security of the environment,” Leach said. “This will not impact machine authentication where one system is communicating with another as it is intended for personnel authentication, nor will it impact administrators accessing directly from the console.”

“An organization could go to great lengths to protect their internal network only to see a third party negate all of their effort as indicated in data breach reports.  That is why several new requirements were identified for service providers in PCI DSS 3.2. These new requirements should already be part of service providers’ efforts to successfully manage the effectiveness of security within the cardholder data environment,” Leach said. “These include actions such as maintaining a documented description of the cryptographic architecture and reporting on failures of critical security control systems. In addition, there’s a new requirement for executive management to establish responsibility for protection of cardholder data and the PCI DSS compliance program.”

Source = http://paymentfacilitator.com/security/pci-to-publish-new-version-april-28-with-more-strict-authentication-service-provider-rules/

PCI 3.2 Summary Changes = http://blog.pcisecuritystandards.org/preparing-for-pci-dss-3-2-summary-of-changes