PCI DSS Releases 3.2.1 Update & Makes MFA a Required Control

The Payment Card Industry Data Security Standard (PCI DSS) is the standard that businesses around the world use to protect sensitive payment card data before, during, and after their transactions. Recently, the PCI Security Standards Council (PCI SSC) published a new revision to the PCI DSS rule that changes it from version 3.2 to version 3.2.1.

What’s New in 3.2.1?

Although a press release from the PCI Security Standards Council describes the update as “minor” and that it was “designed to eliminate any confusion around effective dates for PCI DSS requirements introduced in v3.2, as well as the migration dates for SSL/early TLS,” there is one significant change that every business should know if they want to be PCI-compliant: the removal of Multi-Factor Authentication (MFA, multifactor authentication) from the “compensating control” example in Appendix B of the rule.

Compensating controls are measures that may “be considered for most PCI DSS requirements when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement.” Basically, they’re alternative measures that have to meet a rigorous set of requirements when, for whatever reason, the specific measure outlined in the rules for PCI DSS cannot be met.

Instead of being a compensating control, MFA is now a requirement for ALL “non-console administrative access” under section 8.2 of the requirement, which states that:

“In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users:

•   Something you know, such as a password or passphrase

•   Something you have, such as a token device or smart card

•   Something you are, such as a biometric”

Basically, MFA just went from being something that was “above and beyond” the basic PCI DSS requirements to being a requirement for non-console administrative access. This, in turn, may also make it harder to establish other methods as “compensating controls” because the bar for meeting PCI DSS standard equivalency has just been raised by this minor change in the text.

The other update to the text of PCI DSS is that only point of sale/interaction (POS/POI) terminals will be allowed to continue using SSL/early TLS as a security control after June 30, 2018—after this, all other terminals will need to be switched to another secure alternative.

What Do These Changes Mean for Businesses?

While neither of the above changes are too big—most companies were going to have to switch away from SSL/early TLS on their browser-based systems anyway—it may affect how you prioritize your cybersecurity architecture implementation in the coming months. For example, you may find that you need to rush the switch from your existing cryptographic protocols to newer ones that don’t have the severe security vulnerabilities that exist in SSL and early TLS.

Here, having the help of an experienced team of cybersecurity professionals can be invaluable for ensuring the smooth implementation of your new encryption algorithms.

Additionally, if you’re on the lookout for compensating controls to replace PCI DSS required controls that you cannot implement, you may find that the standards for such controls have gotten a bit tougher to meet with the addition of multi-factor authentication as a new requirement to serve as a point of comparison.

Keeping up to date with changes to major industry regulations such as PCI DSS is a crucial part of protecting your business. If you need help making sure that your organization is compliant with PCI, HIPAA, and other cybersecurity regulations, be sure to contact the experts here at Compuquip today! Everyone on the team is eager to help you protect your business from online threats!

New Call-to-action