Another extraordinary version of the standard PCI DSS v3.2
By tradition, another extraordinary version of the PCI DSS v3.2 standard was published in April 2016 .
The new version introduces refinements that come into effect immediately, and also expands the PAN masking requirements. Now the masking should provide the display of the minimum required number of digits of the card number. To display additional numbers (with the exception of the first 6 and last 4), a justification is needed. Previously, such a justification provided the right to view the entire number entirely.
A number of extended requirements of the standard apply to all organizations and will enter into force on February 1, 2018, including:
The new version introduces refinements that come into effect immediately, and also expands the PAN masking requirements. Now the masking should provide the display of the minimum required number of digits of the card number. To display additional numbers (with the exception of the first 6 and last 4), a justification is needed. Previously, such a justification provided the right to view the entire number entirely.
A number of extended requirements of the standard apply to all organizations and will enter into force on February 1, 2018, including:
- after making changes to the system or network, they will need to comply with the PCI DSS requirement and update the relevant documentation;
- with remote (non-console) login, administrators will need to apply multifactor authentication (2 or more).
Service providers from February 1, 2018 will need to:- have a current description of their cryptographic architecture;
- ensure timely detection and reporting of the failure of key protective measures, including physical access control;
- ensure timely response to the failure of key protective measures, including their restoration and taking measures to prevent the appearance of causes of failure;
- to carry out penetration testing of segmentation measures at least every six months and in case of a change in the methods or methods of segmentation used;
- appoint a person responsible for protecting cardholder data and ensuring compliance with PCI DSS requirements;
- perform quarterly audits of security policy and operational procedures;
- keep documentary evidence of such checks.
In addition, the new version of the standard includes additional requirements aimed at integrating data protection activities of cardholders in the operational activities of organizations (BAU - business-as-usual). These requirements are imposed on individual organizations for solving payment systems.
An overview of the changes is available on the PCI Security Standards Council website .
')
Source: https://habr.com/ru/post/283190/
All Articles