PCI DSS 3.2 released: What's new for POS security?

The state of POS security is not looking too well - too many retailers and merchants are getting breached and not enough have taken action. The good news is that the Payment Card Industry Security Standards Council wants to help. To spur some payment security activity, this group released the new Data Security Standards, version 3.2.

First things first, don't panic. Retailers and merchants have plenty of time to take action and implement new POS security policies and controls. The existing PCI DSS 3.1 will migrate to the new requirements on Oct. 31, 2016, and PCI DSS 3.2 will go fully into effect on Feb. 1, 2018.

That said, it's best to act sooner rather than later, since these standards were developed to help businesses secure their POS environments against today's most sophisticated threats and most common types of attacks.

But what is the PCI Security Standards Council encouraging? Let's take a look at some of the new standards put forth in PCI DSS Version 3.2 when it comes to POS and payments security.

Requirement 6.4.6: Frequent POS security checks
This new standard requires retailers and merchants to reexamine the strength of their security within POS environments after changes are made to these systems.

For example, even though the EMV liability shift deadline has come and gone, many businesses are still trying to integrate EMV-supporting technologies into their payment processing tech stacks. When completing such a process, merchants are likely to make changes that could alter existing security policies or controls.

Therefore, the PCI SSC wants these companies to re-evaluate those environments following said adjustments to ensure they are still compliant with PCI DSS. The same goes for any POS system changes, which is particularly relevant nowadays as merchants are increasingly deploying mobile solutions and other cutting-edge devices.

Requirement 8.3: Multi-factor authentication
Multi-factor authentication has been a security standard, but only for remote access. Now, with version 3.2, retailers and merchants must use multi-factor authentication - the process of using two or more technologies to verify identities - for "any personnel with non-console administrative access to the systems handling card data," explained Troy Leach, chief technology officer of the PCI SSC.

With 63 percent of POS data breaches involving compromised credentials, according to Verizon, this new requirement should go a long way toward preventing unintended data disclosures.

"The changes proposed by PCI DSS 3.2 should not be taken lightly."

Addition of Designated Entities Supplemental Validation to PCI DSS 3.2
DESV used to be a separate set of payment security regulations, but with the introduction of DSS 3.2, these criteria are now included as an appendix to the standards.

"Many of the [DESV] requirements are simply extensions of existing PCI DSS requirements that should be demonstratively tested more regularly, or require more evidence that the control is in place," Leach stated.

In that sense, this change is more or less for the sake of consolidation. That said, merchants should certainly pay attention to these standards, as there's no such thing as too much POS security.

SSL/early TLS migration date extension
Lastly, PCI DSS 3.2 granted businesses more time to shift away from SSL and TLS 1.0 and toward TLS 1.1 or higher. The deadline was July 1, 2016. Now, it's July 1, 2018.

The changes proposed by PCI DSS 3.2 should not be taken lightly. Right now, many retailers and merchants are failing at POS and payments security, and these new regulations should help those businesses implement stronger security. And, as always, these merchants should remember that they should not wait until the proposed deadlines and should go above and beyond these simple security checklists. A QIR-qualified VAR/ISV is the best resource for merchants to tap regarding PCI-DSS implementation.

 

Want to learn more?