Multi-factor authentication will be required for administrative access to card data and systems for Payment Card Industry data security compliance this week.
The PCI Security Standards council will deliver its 3.2 data security standard version, effective April 28, strengthening rules for data access, providing criteria for ongoing compliance programs, and reminding merchants and network operators to continue to migrate to a more secure Web protocol, or Transport Layer Security.
The PCI DSS 3.1 version will expire Oct. 31, 2016.
The multi-factor requirement is the biggest change in the PCI DSS 3.2, said PCI chief technology officer Troy Leach.
Authorization may include a password, a token or smartcard and some form of biometrics, Leach said in a recent blog post.
Previous PCI requirements call for two-factor authentication, but the new rule of multi-factor makes it consistent that "at least two credentials" are used for access, Leach said.
"A password alone is not enough to verify the user's identity and grant access to sensitive information," Leach said.
This new requirement applies even if the individual seeking access is within a trusted network, or if the person seeking access works internally or as a third party, he added.
PCI recommends that organizations review how they manage access to their cardholder data environment and review the current administrator roles to identify where the new requirement will require changes to authentication.
Version 3.2 also calls for new criteria titled Designated Entities Supplemental Validation, designed to help service providers maintain security programs through effective compliance oversight, proper scoping of an environment, and assuring effective alerts are in place in critical security controls.
An organization is required to undergo an assessment of these validation processes only if instructed to do so by an acquirer or payment brand. Even if not mandatory, the PCI council suggests organizations study these security practices, especially new requirements for service providers.
Those requirements include a third party provider maintaining a documented description of the cryptographic architecture and reporting on failures of critical security control systems.
"Service providers play an important role in securing cardholder data for their customers," Leach said. "An organization could go to great lengths to protect their internal network only to see a third party negate all of their effort as indicated in data breach reports."
In addition, a new requirement calls for executive management to establish responsibility for protection of cardholder data and the PCI compliance program.
"If you are part of senior leadership in an organization and entrusted to protect the cardholder data of your customers, you should be fully aware of your PCI DSS responsibility," Leach said.
PCI DSS 3.2 does not change the requirement or deadline for organizations to switch Web protocols from a vulnerable Secure Sockets Layer to a newer version of Transport Layer Security.
Even though PCI is not requiring that change until June of 2018, many security vendors say their clients are moving quickly to migrate to the more secure TLS settings. PCI had extended its deadline from a previous date of June 2016 to assure organizations could have other 3.2 requirements in place in addition to having the more secure Web security protocol in place.