Compliance is a topic on the lips of tech leaders across the globe at present. In the first few months of 2018, organisations face a new set of data protection laws and newly enforced cardholder data standards.
The General Data Protection Regulation (GDPR) will impact any organisation holding data on any EU citizen and the PCI DSS (Payment Card Industry Data Security Standard) impacts any organisation taking card payments. That just about covers every single business.
The PCI Security Standards Council announced version 3.2 of the PCI DSS standard in April last year, which until February will remain a best practice guideline. However, come the 1st February 2018, these guidelines become effective as a standard, replacing the previous 3.1 iteration.
Whilst 3.2 represents a minor update to the standard, there are a few notable changes which your business needs to be aware of before your next annual review. So, what are these changes that have been snuck into this update?
1. Two factor to multifactor authentication
The attacks targeting British businesses appear to be increasing in sophistication, however, that should not mean you should leave the front door unlocked whilst trying to secure your windows. Brute force attacks are still common – with Wordfence witnessing over 6.6 million attacks in a 16-hour window – and it’s essential you can prevent them.
Two-factor authentication has been positioned as a solution to this, without the need to painstakingly enforce unenforceable password policies across your organisation. However, PCI DSS v3.2 now requires organisations to take a step beyond that and adopt multifactor authentication (MFA).
Apart from the obvious ambiguity in the number of authentication processes with MFA, there is a key processual difference highlighted in the new version. At no point during the authentication process should the success or failure of any factor should be provided until all factors have been presented. As such, authentication should be treated as a one-step process, no matter how many factors are involved.
Furthermore, to be compliant you authentication process must include two of the three factors:
- Something known. A password, PIN, secret word or secret answer, for example.
- Something owned. An employee ID card, SIM card, or a one-time password (OTP) from Google/Microsoft Authenticator.
- Biometrics. Increasingly present on consumer tech, but fingerprints, facial recognition, voice recognition and the like can also be used.
2. Formal data governance & compliance reviews
Requirement 12 of PCI DSS requires organisations to maintain a policy that addresses information security for all levels of your personnel - from junior operatives to senior management. Therefore, you cannot afford to treat compliance as an annual box-ticking exercise.
Data governance is becoming an integral part of compliance. Although quarterly personnel reviews are only mandatory for service providers under PCI DSS, requirement 12 stipulates organisations must maintain a policy that addresses information security for all personnel. This is not always possible without regular information and equipment auditing.
It is becoming increasingly clear, especially with the arrival of GDPR, that organisations need to have a clear, formally documented process by which information flows through your organisation.
3. Data encryption
Encryption is a fundamental component of security strategies across the world. When the heartbleed vulnerability surfaced in 2015, the Security Standards Council quickly reacted and provided deadlines to move ahead of OpenSSL cryptography - and as of v3.1, SSL has been removed as an example of a secure technology. SSL 3.0 and earlier versions of TLS were deemed unsuitable for handling cardholder data, due to the vulnerability to MitM (man-in-the-middle) attacks.
Ultimately, the goal of encryption is to render information useless if it does end up in the wrong hands. However, this does mean that it is essential to review your transport layer security. In particular, if your website has a card payment facility, you must ensure you are using a suitable level of encryption, such as:
4. Change management
With the ever-growing importance of digital transformations in business, it is imperative you consider security and compliance. Both the EU (in GDPR) and the PCI SSC are pushing for organisations to adopt a security by design approach to digital transformation - meaning security should be at the core of decisions regarding technologies, software, hardware and infrastructure makeup.
This means treating PCI DSS as a continuous process of security improvement and evolution, rather than an annual box-ticking exercise. The Chief Technology Officer of the PCI SCC Troy Leach recommends that organisations “have a process to analyse how changes may impact the [cardholder] environment and the security controls that organisations rely on”. We advocate this stance at Immervox - our methodology involves listening and consulting with our partners to ensure that our clients remain ahead of the compliance curve.
Given the fact that payments are essential to modern business, having a watertight system for taking card payments is essential. To deliver a secure, seamless customer experience, selecting the right technologies is key. So if you are concerned by your PCI DSS compliance and telecoms system, get in touch with one of our experts for no-obligation advice.