Sometime last year you achieved total compliance with PCI DSS, the information security standard for all organizations that process credit or debit cards. That means your data is safe, the auditors will leave you alone, and you can kick back and relax, right?
Unfortunately, hackers don’t take breaks. Their methods are constantly evolving, making it essential that you are compliant with the latest security standards. Fortunately, PCI DSS is designed to ensure that you know exactly what to do to stay ahead of new threats. Staying PCI DSS compliant also lets you avoid hefty fines.
The latest version of PCI DSS is version 3.2, which was announced in April 2016. Hopefully you’ve already seen the new rules and are taking steps to improve your security. You should be aware that some major PCI DSS compliance deadlines are approaching in 2018.
Although PCI DSS 3.1 technically expired in October 2016, all new requirements in version 3.2 will be considered best practices until 2018, when they’ll become mandatory. Here are some of the most important changes:
Multi-Factor Authentication (Best Practice Now, Mandatory February 2018)
PCI DSS version 3.1 called for two-factor authentication. Don’t worry about the name change to multi-factor authentication—it’s just to clarify that more than two types of authentication are possible. The more important update is that the requirement is expanded to include all individual non-console administrative access as well as all remote access to the cardholder environment (CDE).
That means that for any potential CDE access points, including through tools like your managed file transfer solution, you need to have multi-factor authentication either at the network or the system level.
TLS 1.1 or Above (Best Practice Now, Mandatory June 2018)
SSL and its immediate successor, TLS 1.0, are no longer considered strong encryption methods. Originally, the new PCI DSS requirement mandated that every organization migrate to TLS 1.1 and above (ideally TLS 1.2) by June 2016. This deadline was later pushed out to June 2018.
However, if you’re using SSL or early TLS, you should know that you’re not using current security best practices. We recommend that you move your file transfers to a stronger encryption method as soon as possible.
In order to help you fully understand the changes to PCI DSS 3.2, especially how they relate to managed file transfer, we’ve created a new whitepaper. Download it to learn:
- Who needs to comply with PCI DSS 3.2
- What has changed since version 3.1
- How PCI DSS compliance affects your file transfer processes and solutions