Does your organization accept credit cards? If you do, your organization needs to follow the PCI-DSS compliance standards. PCI-DSS stands for Payment Card Industry Data Security Standards; they were adopted as a shared set of data security standards by the major US credit card companies in 2005. Complying with these standards protects your organization from liability in the event of a breach.
Earlier this year, the PCI-DSS standards and compliance rules were updated to version 3.2. With these changes, there are now more strict rules you may need to be following to remain compliant. The full summary of all changes can be found on the PCI Security Standards Council's website. Here are the 3 most important changes to the set of standards:
Multi-factor Authentication
If you are wondering what multi-factor authentication is, check out our previous blog post about MFA. PCI-DSS 3.2 now requires anyone with administrative access to the cardholder data environment, or any user with remote access, to use multi-factor authentication. This is one of the strongest types of protection from a data breach and is very important to have enabled for your employees.
Remove older encryption standards
Data security is always a moving target. Part of strengthening your organization's data security is to stop using older forms of data encryption. SSL and earlier forms of TLS encryption have been "figured out" by cybercriminals and are no longer safe to use. Keeping your software up to date and replacing old hardware is the key to following these rules.
Newer, tougher testing procedures
Part of maintaining PCI-DSS compliance is that your merchant (the company that processes your transactions) or one of their partners has a method in place to verify that appropriate data security measures are taken in your organization. A remote scan is ran on your organization's IP address(es) as a test to see what vulnerabilities may be present in your organization. With the 3.2 update, these scans have become tougher to pass with more strict rules.
What do I do next?
If you are not sure of the status of your PCI-DSS compliance, contact Integrity today to work with us on a security assessment.