PCI DSS 3.2 and GDPR, two major standards coming into force in 2018. It is important to get the ball rolling as soon as possible.
The PSBE Cyber News Group is reporting that being compliant with PCI DSS 3.2 will more than likely mean compliance with the new GDPR. Changes for the new Payment Card Industry Data Security Standard 3.2 (PCI DSS 3.2) become mandatory on 1st February 2018, a few months before the new General Data Protection Regulation (GDPR) comes into force.
Jeremy King International Director at the Payment Card Industry Security Standards Council (PCI SSC) said:
“People come to me and say, ‘How do I achieve GDPR compliance?….Start with PCI DSS.”
PCI DSS 3.2 gives prescriptive guidance and the changes being introduced could mean that a company that fully and successfully implements PCI DSS 3.2 is more likely to be fully GDPR compliant.
The new changes for PCI DSS 3.2 are suggested to have the highest impact on small merchants, who outsource the whole payment process. These companies will be under the belief that responsibility for security lies with their service provider. The article highlights that
“…but while you can contract out the process, you cannot contract out the responsibility. Small merchants will still need to take reasonable steps to ensure that their providers are complying with the new regulations…”
One of the most significant changes under PCI DSS 3.2 is that administrators must have multi factor authentication (MFA) before accessing the card data environment. For large organisations this could prove quite a challenge as they will need to identify all administrator accounts and ensure they have implemented the new MFA credentials.
The other important change is migration from SSL and early versions of TLS to the more secure later version of TLS. This is designed to reduce ‘man in the middle’ attacks and the PCI SSC have advised early adoption because continuing to rely on older versions leaves organisations more vulnerable to a breach.