Updates, Guidance, and Stories from the Urbane team.
Are You Ready for the New PCI DSS Requirements in 2018?
Were you the kid who came straight home from school and started the new project on the day it was assigned? Or were you the type who would calculate in your head exactly how much you could procrastinate before starting? Playing that new video game or riding bikes outside with your friends always seemed like more fun than a new compliance requirement, er, homework.
The PCI Security Standards Council released the newest version of the PCI DSS in April 2016. It contained quite a few minor changes and updates as well as nine brand new requirements. After pushing the SSL/TLS migration deadlines back due to industry pressure and tight implementation deadlines, they prudently provided almost two years of lead time for the enforcement of these new controls. The grace period is almost over. All new requirements introduced in the PCI DSS v3.2 are a best practice currently and will go into effect as of February 1, 2018.
Recent Guidance from the PCI Council
One would think that the publication of the next version of the PCI DSS (April 2016) as well as the sunset date of the previous version (in October 2016) would constitute a pretty full year for PCI. However, the end of 2016 and beginning of 2017 saw a flurry of activity from the PCI Security Standards Council (PCI SSC), specifically around their Guidance Documents.
The following Information Supplements were published in the last year:
- Assessment Guidance for Non-Listed Encryption Solutions (November 2016)
- Guidance for PCI DSS Scoping and Network Segmentation (December 2016 & May 2017)
- Multi-Factor Authentication (February 2017)
- Best Practices for Securing E-commerce (April 2017)
While there is too much detail in each document to cover everything here, I’ve tried to summarize the information provided by each document and add any commentary that may help you understand the details in each supplement.
Evolving NIST Password Guidance and PCI
Passwords are difficult. They have to be a certain length, use certain characters, change at certain intervals, and worst of all they have to be memorable. But the NIST Trusted Identities Group thinks that should change.
The new draft version of NIST’s Digital Identity Guidelines (SP 800-63-3) is in the process of being finalized. The sub-publication on Authentication & Lifecycle Management (800-63b) contains some interesting changes to password composition and management. The document uses the term “memorized secrets” to refer to passwords and PINs. Also, as this is still a DRAFT version, it is advisable to wait for the final publication to refer to before changing security policies.