Five new payment card data security requirements for third-party service providers are among the most significant changes included in version 3.2 of the PCI Data Security Standard released April 28, says Troy Leach, chief technology officer of the PCI Security Standards Council.
The new requirements for service providers, such as those that help organizations carry out certain security policies or encrypt card data, will require some significant policy and procedural changes, Leach says, which is why the council is giving the companies until Jan. 30, 2018, to comply.
"We are giving ... service providers several business cycles to budget, plan, prepare and implement these types of changes," Leach explains during this interview with Information Security Media Group.
The new standard will require service providers to:
- Detect and respond to critical failures in a formal and prompt way.
- Conduct regular penetration tests on segmentation controls. "If a service provider is saying that they have isolated the card data environment, we require that they test that every year, or after so many changes to the environment, we're asking service providers to demonstrate that twice a year," Leach says.
- Perform at least quarterly reviews of the personnel who are responsible for ensuring that the organization is adhering to security policies and procedures. "They need to make sure that there's evidence in place that there's not a degradation that's slowly moving away from the expectations around processes and controls that the PCI standard lays out."
- Establish responsibility for protecting the card data environment through an executive/management level process.
- Provide more documentation and evidence that service providers are aware of and are properly managing the type of cryptography that is being used by the organizations they service.
In addition to the new requirements for service providers, the update also calls for more widespread use of multifactor authentication, Leach points out. The update is designed to help ensure that any individual who is accessing a network that is connected to payment data is using multifactor authentication.
"There needs to be some accountability for the administrators," he says, especially those whose credentials can be used to directly or indirectly access payment card data. "I think it's a significant change from an operations perspective, but a necessary change based on recent data breaches that we've heard about."
During this interview (see audio player below photo), Leach also discusses:
- Why version 3.2 is being issued just one year after the last PCI-DSS update, version 3.1;
- Why the PCI-DSS is now considered a "mature" security standard; and
- New expiration dates for Secure Sockets Layer and early Transport Layer Security encryption.
As part of his role with the council, Leach partners with council representatives, PCI participating organizations and industry leaders to develop comprehensive standards and strategies to secure payment card data and the supporting infrastructure. He is a congressional subject-matter expert on payment security and is the current chairman of the council's standards committee. Before joining the PCI Council, Leach held various positions in IT management, software development, systems administration, network engineering, security assessment, forensic analytics and incident response for data compromise.