01Jul, 2016

PCI DSS/ Security Compliance

Multi-factor authentication and the latest PCI DSS standards

The PCI Security Standards Council (PCI SSC) says its new version 3.2 will be used by payment application vendors to ensure their software products will protect payment card data from theft. That’s why the application of multi-factor authentication is an important step in the development of the latest PCI DSS standards.

The council says the introduction of the new version is a great opportunity for any company handling credit card data to check and evaluate how it accepts payments and whether it can reduce the risk to its customers by changing business practices relating to cardholder data exposure.

The changes within version 3.2 also invite companies to evaluate newer payment technologies such as tokenization and encryption (please note IP Solutions has been leveraging both approaches for ten years!).

The council says in its review that it closely evaluated additional multi-factor authentication for administrators within a Cardholder Data Environment (CDE); in so doing it incorporated some of the Designated Entities Supplemental Validation (DESV) criteria for service providers; similarly it clarified masking criteria for primary account numbers (PAN) when displayed; and included the updated migration dates for SSL/early TLS that were published in late 2015.

Part of the council’s multi-factor authentication was based on its analysis of recent cardholder data breaches and PCI DSS compliance observations which reveal that many organisations still view the act of compliance as an annual exercise and as such do not have processes in place to ensure that PCI DSS security controls are continuously enforced.

It says the process of adhering to PCI DSS requirements is what is meant to be “PCI compliant”. The Report on Compliance (ROC) is a way to confirm that the steps are in place and can evolve as an organisation changes over a period.

These changes for service providers will provide greater assurance that security will remain as expected for both the provider and the customers that rely on these services. Again this reinforces the value of multi-factor authentication within the PCI DSS security standards.

To read more about PCI DSS multi-factor authentication and the latest PCI DSS version 3.2 download a copy of our free eBook here or speak with one of our consultants here.

Related Articles

The benefits of mandatory data breach notification laws in Australia

Mandatory data breach notification laws would result in greater security for Australians and improved protection of their sensitive information. And i

Read More

Cost of data breach report (with Australian Statistics)

Ponemon Institute 2013 Cost of Data Breach report The 2013 Cost of Data Breach report published by the Ponemon Institute (sponsored by Symantec) revea

Read More

How to survive a data breach

In the past two years, LinkedIn, eHarmony, Twitter, Adobe and, most recently, Target have suffered data breaches that together exposed more than 120 m

Read More

Credit card data discovery tools lay the foundation for good data security

Card Holder Data (CHD) discovery tools are becoming essential in identifying none secure sensitive data locations. Since December 2013, a series of da

Read More