Site logo graphic

August 17th, 2016

PCI-DSS 3.2: What call centers need to know

Developed to encourage and enhance cardholder data security, the Payment Card Industry Data Security Standards (PCI-DSS), facilitates the broad adoption of consistent data security measures globally. It applies to all entities involved in payment card processing, and is specifically designed to protect account data.

With the recent release of the newest version PCI-DSS 3.2, there are some changes call centers and telecommunications companies need to know about.

  1. When to implement the new version?

To detect and respond to attacks, it is recommended that vendors review the update and begin incorporating the changes as soon as possible. The previous release, PA-DSS version 3.1 retires on October 31st, 2016.

  1. What are some of the additions? 

Research has shown that many organizations view PCI-DSS compliance as an annual exercise, with no processes in place to ensure that security standards are continuously enforced. To provide greater assurance of security for service providers and customers, The PCI-DSS Supplemental Designated Entities Validation (DESV) criteria was added as an appendix to the standard. In addition, existing PCI-DSS requirements were expanded to incorporate DESV controls for service providers.

It is important to help create a process to analyze how changes impact the environment and security controls to protect cardholder data. The new release of PCI-DSS 3.2 also strives to ensure security controls are in place following a change in their cardholder environment. Incorporating these processes helps ensure that "device inventories and configuration standards are kept up to date, and security controls are applied when needed. (https://blog.pcisecuritystandards.org/pci-dss-32-is-here)" The hope is that the addition will eventually lead to better efficiency in reporting.

Moving forward, requirements 10.8 and 10.8.1 ensure that service providers need to detect and report on failures of critical security control systems. This shortens the time attackers have to compromise the system and steal sensitive data. More so, new requirement 11.3.4.1 details the penetration testing on segmentation controls service providers must perform every six months. Previously, service providers only had to perform these tests annually, and the change emphasizes the importance of more frequency testing to confirm security controls are working.

Most notably, the new requirements necessitate the use of multi-factor authentication. This requires two or more technologies to authorize a person's access to card and data systems. These technologies can include a password or pass phrase, something you have, and/or a smart card. This system is already a requirement for remote access, but now multi-factor authentication is a requirement for any personnel with administrative access. This way, a password is not enough to verify a user's identity and secure access to sensitive information.

For a complete list of all the changes, gain access to the full document here: LINK