New PCI Rules Rooted in New Threats

The PCI Data Security Standard just turned 10 years old in September and today marks another milestone in its evolution. As of today all PCI DSS assessments must evaluate compliance against version 3.2. There is an extensive list of new requirements and clarifications, although they will all be considered “best practices” until Feb. 1, 2018 when they will become enforceable. The two biggest changes, according to data security experts, involve multifactor authentication and responsibility when engaging third parties. Multifactor authentication will be required for all administrator access, not just remote access, which was the rule in the previous version. Also, even if an e-commerce merchant outsources online payment processing to a third-party service provider, the merchant is still responsible for PCI compliance.

The changes in the PCI standard as it evolved over the past 10 years reflect its response to the increasingly sophisticated threats posed by hackers every day, Michael Aminzade, vice president of global compliance and risk services at Trustwave, told CardNotPresent.com.

“Ten years ago the focus of the standard was promoting the removing of unnecessary storage of data, network security and basic web application security,” said Aminzade. “Now the focus is about transforming account data. It’s around service providers and third parties and their security and management of card data on behalf of merchants and their customers and further encryption of card data inside the payment track. We can see a huge transformation from the first version of the standard to what the standard is focusing on today.”