Newsroom

Anyone accessing cardholder information will need to use multifactor authentication to verify their identities, according to the latest version of the Payment Card Industry Security Standards Council's data security standard. The previous standard will expire Oct. 31.

All new requirements in the latest data security standard are best practices until Feb. 1, 2018, but early adoption is recommended, said PCI SSC Chief Technology Officer Troy Leach.

This new 3.2 version, announced Thursday, replaces version 3.1 to address growing threats to customer payment information. The PCI SSC's data security standard is used by businesses worldwide to safeguard payment data before, during and after a purchase is made.

"A password alone should not be enough to verify the administrator's identity and grant access to sensitive information," said Leach. "Additionally, service providers, specifically those that aggregate large amounts of card data, continue to be at risk. PCI DSS 3.2 includes a number of updates to help these entities demonstrate that good security practices are active and effective."

Among the Version 3.2 requirements service providers must follow are:

• detect and report on failures of critical security control systems;
• perform penetration testing on segmentation controls every six months;
• perform quarterly reviews to confirm that personnel are following security policies and operational procedures; and
• establish responsibilities and a PCI DSS compliance program by executive management.