It’s About Time (For Compliance with PCI DSS 3.2) -- Are You Ready?

March 6, 2017

2017 hit the ground running in a fast and furious way, for obvious reasons. But wait a second -- it’s suddenly March?!? Events and deadlines that seemed far into the future are suddenly right around the corner, with less time than you thought to cover everything in that intricate plan. Oh, if only time machines really did exist.

Image source:

One critical deadline on the near horizon applies to businesses who work with payment cards -- merchants, financial institutions, point-of-sale vendors and developers who create and operate infrastructure that processes payments. And every one of those businesses needs to pay attention to security -- NOW.

Why? Because time is running out. Before long the new Payment Card Industry (PCI) Data Security Standard (DSS) 3.2, which was published in May 2016, will transform from its current state of guidance into full-fledged industry mandate as of January 2018. That’s right, around nine months from now (at this writing). It’s time for businesses to have their new compliance processes underway, as the date to start using version 3.2 for assessments is already behind us (October 2016).

So, how is the latest update to PCI DSS so important to both businesses and consumers?

As Corey Williams mentioned in his blog on this topic, PCI DSS 3.2 Section 8.3 now requires multi-factor authentication for all personnel with administrative access, not just personnel with remote access to the cardholder data environment (CDE). Troy Leach, PCI Security Standards Council Chief Technology Officer stated:

“The most important point is that the change to the requirement is intended for all administrative access into the cardholder data environment, even from within the company’s own network. This applies to any administrator, whether it be a third party or internal, that has the ability to change systems and other credentials within that network to potentially compromise the security of the environment.”

That’s not all. The new PCI DSS 3.2 requirements reinforce other security areas:

  • Protect stored cardholder data by granting or denying privileged access based on independent job roles and responsibilities.
  • Service providers must maintain a documented description of the cryptographic architecture.
  • Service providers must perform quarterly security program reviews to verify and document ongoing compliance.

It’s no wonder this recent DSS version has an increased focus on security and privacy. Managing user identities and access is a must-have for organizations seeking to avoid data breaches by minimizing their attack surface, while their networks are expanding and moving beyond what used to be considered a standard perimeter.

Traditional network boundaries are quickly disappearing as mobile workers and third parties become larger components of an enterprise’s composition, with identity now taking a prominent position as a means to reducing risk of a data breach. According to a 2016 commissioned study conducted by Forrester Research on behalf of Centrify, 97% of the organizations surveyed provide privileged access to remote employees and outsourced vendors.

There are many ways individuals put customer data at risk. Poor password management provides cyber criminals with an easy entry point into enterprise networks, where they gain initial access. They work their way through the organization in search of privileged accounts and ultimately steal sensitive data. Or, an employee who becomes disenfranchised with his or her employer may choose to share sensitive cardholder information for financial gain. According to Verizon’s 2016 Data Breach Investigations Report, 80% of analyzed breaches last year had a financial motive, and McAfee Labs reports the more credit and debit card information a hacker can collect, the more it’s worth on the Dark Web.

Plus, there is always the cringe-worthy news story about an employee’s laptop being stolen from their vehicle or home, increasing the risk of personal data falling into the wrong hands.

If you haven’t started your planning for PCI DSS 3.2, don’t panic. Centrify can help with capabilities you need to streamline compliance:

  • Identity consolidation – leverages your existing Active Directory to provide centralized identity management and monitoring, assign a unique ID to each user and restrict server access to cardholder data on a business need to know basis.
  • Separation of duties – Assigns duties to each unique user ID so that no individual has complete end-to-end control of any process.
  • Least privilege policy –Provide users with only the amount of access they need to perform their job functions. Users log in as themselves, elevating privilege only when necessary so all activity is audited and attributed to the individual.
  • Built-in multi-factor authentication -- advanced and flexible MFA capabilities authenticate authorized users with multiple methods of identification to add an extra layer of security for your organization’s sensitive cardholder information.
  • Forensic analysis – conduct investigations and prove compliance with privileged session monitoring and auditing of activity associated with individual and shared administrative accounts that are tied to the user. Integration with SIEM solutions enable security teams to quickly detect and respond to internal and external attacks, simplify threat management while minimizing risk and safeguard organizations.
  • Audit trails – proves compliance with tailored PCI reports and session recording of user activity, indexed to better track the actions and commands used by each individual user.

Read this eBook for more information on how to beat the clock (without a time machine) on ensuring your business is in compliance with the latest PCI DSS 3.2.

This is written by the individual author in his/her personal capacity, and the opinions, views and/or thoughts expressed herein are solely the author’s own. They are not intended to and may not necessarily reflect the official policy or position, or the opinions or views of ThycoticCentrify or its affiliates, employees, or any other group or individual.