The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD). Below is a high-level overview of the 12 PCI DSS requirements.

If credit unions are merchants – allow cash withdrawals from credit cards at the teller line, and/or service providers – store member’s card information on their systems, they must abide by the Payment Card Industry Data Security Standard (PCI DSS).  On October 31, the current version (3.1) of the PCI DSS will be replaced with Version 3.2.

The Press Release states “…the primary changes in version 3.2 are clarifications on requirements that help organizations confirm that critical data security controls remain in place throughout the year, and that they are effectively tested as part of the ongoing security monitoring process.”  It continues, “This includes new requirements for administrators and services providers, and the cardholder data environments they are responsible to protect. PCI DSS 3.2 advocates that organizations focus on people, process and policy, with technology playing an important role in reducing the overall cardholder data footprint.”

The PCI provided a Summary of Changes from version 3.1 to 3.2.  The Summary includes a number of clarification and guidance changes, along with evolving requirements.  The evolving requirements include:

• Updated requirement to clarify that any displays of PAN greater than the first six/last four digits of the PAN requires a legitimate business need. Added guidance on common masking scenarios.
• New requirement for service providers to maintain a documented description of the cryptographic architecture.
• New requirement for change control processes to include verification of PCI DSS requirements impacted by a change.
• Expanded Requirement 8.3 into sub-requirements, to require multi-factor authentication for all personnel with non-console administrative access, and all personnel with remote access to the CDE.
• New Requirement 8.3.2 addresses multi-factor authentication for all personnel with remote access to the CDE (incorporates former Requirement 8.3).
• New Requirement 8.3.1 addresses multi-factor authentication for all personnel with non-console administrative access to the CDE.
• New requirement for service providers to detect and report on failures of critical security control systems.
• New requirement for service providers to perform penetration testing on segmentation controls at least every six months.
• New requirement for service providers’ executive management to establish responsibilities for the protection of cardholder data and a PCI DSS compliance program.
• New requirement for service providers to perform reviews at least quarterly, to confirm personnel are following security policies and operational procedures.

Operations staff involved with credit cards, and IT staff involved with security should review and implement the new and clarified requirements.

Payment Card Industry Data Security Standard Version 3.2