Trustwave's 2024 Financial Services Threat Reports Highlight Alarming Trends in Insider Threats & Phishing-as-a-Service. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave's 2024 Financial Services Threat Reports Highlight Alarming Trends in Insider Threats & Phishing-as-a-Service. Learn More
February will bring Groundhog Day, Valentine's Day, the return of the Year of the Dog in the Chinese calendar and another important deadline for your compliance with the Payment Card Industry Data Security Standard (PCI DSS).
On Feb. 1, version 3.2 best practices transition to full requirements. These controls must be in place by that date and not deferred until the time of your annual assessment.
These best practices are indeed practices that every organization should implement as soon as possible. Ideally you already have your plans underway, and here is some information that will help you along.
Best practices for merchants that are becoming requirements are:
The PCI Security Standards Council (SSC), which manages the standard, offers a supplement called Guidance for Multi-Factor Authentication (PDF).
The SSC notes that while it does not currently require multi-factor implementations to meet all the principles described in this guidance document, it may in the future, and these industry-recognized best practices provide a roadmap for future security considerations.
Merchants should also make sure that their service providers are adhering to these new requirements.
Seven best practice sub-requirements for service providers take effect on Feb. 1:
And while PCI DSS 3.2 explicitly extended the deadline for migration from SSL and early TLS to June 30, 2018, you should already have your formal risk mitigation plan in place and be working quickly to get away from these insecure protocols. As stated in the 2017 Trustwave Global Security Report, for the second year in a row, four of the top five vulnerabilities that our network scanning systems detected resulted from insecure server configurations for Secure Socket Layer (SSL) and Transport Layer Security (TLS).
Remember, as our Trustwave Qualified Security Assessor (QSA) experts always say, the PCI DSS is a baseline standard - the minimum set of requirements that you should be addressing for the security of your business and your payment card data. Compliance should be a byproduct of a robust security program. Implementing sound security controls, rather than just focusing on just being compliant is the best way to make sure that you are properly addressing the ever-changing threat landscape.
Beyond meeting the PCI DSS 3.2 requirements that go in to effect in February, engage in proactive discussions with your QSA company (QSA-C) about additional security best practices your organization should be considering. These best practices may even be on the horizon for the next update to the PCI DSS.
Dixie Fisher is senior product manager of compliance solutions at Trustwave.
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.