The PCI Security Standards Council said on Thursday (April 28) that it has published a new version of its data security standard (DSS), geared toward data protection before, during and after transactions take place. This version, 3.2, now replaces 3.1, in order to “address growing threats to customer payment information,” the council said in a release. The 3.1 version is set to expire on Oct. 31 of this year.
The council said the newest update is part of the regular occurrence of examining both challenges and threats. Feedback came from 700 firms participating in the council’s network, along with industry reports on data breaches.
In a statement that accompanied the release, PCI Security Standards Council Chief Technology Officer Troy Leach stated: “We’ve seen an increase in attacks that circumvent a single point of failure, allowing criminals to access systems undetected and to compromise card data. A significant change in PCI DSS 3.2 includes multi-factor authentication as a requirement for any personnel with administrative access into environments handling card data. Previously, this requirement applied only to remote access from untrusted networks. A password alone should not be enough to verify the administrator’s identity and grant access to sensitive information. Additionally, service providers, specifically those that aggregate large amounts of card data, continue to be at risk. PCI DSS 3.2 includes a number of updates to help these entities demonstrate that good security practices are active and effective.”