Updates, Guidance, and Stories from the Urbane team.
To Infinity, (Above) and Beyond!
The Payment Card Industry Data Security Standard (PCI DSS) is no longer a fledgling framework. The thought and process that has gone into the revisions to mature the PCI DSS has created a prescriptive list of controls that any organization would do well to follow. However, even the PCI Security Standards Council steadfastly maintains that the PCI DSS is only a baseline of controls. So let’s go through a thought exercise about additional controls that are not in the PCI DSS but could be used improve the security of your environment.
Are You Ready for the New PCI DSS Requirements in 2018?
Were you the kid who came straight home from school and started the new project on the day it was assigned? Or were you the type who would calculate in your head exactly how much you could procrastinate before starting? Playing that new video game or riding bikes outside with your friends always seemed like more fun than a new compliance requirement, er, homework.
The PCI Security Standards Council released the newest version of the PCI DSS in April 2016. It contained quite a few minor changes and updates as well as nine brand new requirements. After pushing the SSL/TLS migration deadlines back due to industry pressure and tight implementation deadlines, they prudently provided almost two years of lead time for the enforcement of these new controls. The grace period is almost over. All new requirements introduced in the PCI DSS v3.2 are a best practice currently and will go into effect as of February 1, 2018.
Recent Guidance from the PCI Council
One would think that the publication of the next version of the PCI DSS (April 2016) as well as the sunset date of the previous version (in October 2016) would constitute a pretty full year for PCI. However, the end of 2016 and beginning of 2017 saw a flurry of activity from the PCI Security Standards Council (PCI SSC), specifically around their Guidance Documents.
The following Information Supplements were published in the last year:
- Assessment Guidance for Non-Listed Encryption Solutions (November 2016)
- Guidance for PCI DSS Scoping and Network Segmentation (December 2016 & May 2017)
- Multi-Factor Authentication (February 2017)
- Best Practices for Securing E-commerce (April 2017)
While there is too much detail in each document to cover everything here, I’ve tried to summarize the information provided by each document and add any commentary that may help you understand the details in each supplement.