“New” PCI Compliance v3.2 now published

PCI – Payment Card Industry v3.2¹ is now in effect As of April 2016 published date.

So what has changed? What else do merchant vendors and providers have to do to keep “DSS Compliant” status.

pci-dss-compliant

 

Remember our post on December 2015² ?  It noted that SSL technology for Internet commerce is not good enough anymore. So no surprise this has now been incorporated into  PCI DSS.

Now all secure Internet commerce must stop using SSL and early TLS technologies and a secure method must be used by June 30, 2016.

Another item is pentesting – the more you pentest the better so instead of annual as a minimum the min now is every six months.

 

Other changes have to do with clarifying and fixing typos in the older document(v3.1).

A point by point change document is in this pdf:

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2_Summary_of_Changes.pdf

Other notable changes (besides notation modifications etc)

There is now a new requirement for any access to the network for credit card connections to be multi-factor authentication (i.e. 2FA two factor authentication or higher)

Service providers have additional requirements and responsibilities which are in effect on February 2018.

An assessor needs to verify that storage locations are reviewed annually at minimum.

 

As usual as we have discussed this before, as PCI compliance is always a step behind the bad guys methods, If you want to focus on a 21st century cyber defense it has to be more than PCI compliance.

 

One has to know the risk analysis assessment  with likelihood and impact.

Then from there one has to decide if pentests are enough at 2x per year. Some are doing vulnerability analysis on a daily basis – or at least after any changes to environment.

Your risk analysis must be inline with your business goals,  so you should worry about general security not just PCI compliance.

riskanalysis

 

And applying patches should not be done without any tests or reviews.

As you can see here “Don’t Trust all plugins – and  Verify First”³

donttrustandverifyallplugins

 

Essentially what happened is that a hacker took over a plugin somehow, and then “added” hacker control code into an update for the plugin (CCTM – Custom Content Type Manager).  So it is not good just to patch or update without doing any testing or verification.

Plus doing backups is also a good thing before patching.

 

All of these things add more time, and if you did not allocate resources properly it will open an opportunity for hackers.  But this is unfortunately expected as the offense will always be a step ahead.

 

Contact US (contact Tony Zafiropoulos at 314-504-3974) to discuss this or any security topic

 

  1. https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf
  2. http://oversitesentry.com/internet-insecure-without-tls/
  3. http://oversitesentry.com/dont-trust-and-verify/

 

 

Advertisements