As a business that receives payments through the five major credit card brands, including Visa, Mastercard, and American Express, more than likely you’re familiar with PCI DSS — a proprietary information security standard administered by the Payment Card Industry Security Standards Council. The standard was designed to reduce credit card fraud.
According to new standards, compliance for two updated mandates have been delayed until 2018.
According to the PCI Security Standards Council (PCI SSC), companies will need to comply with a new version of its data security standard (DSS). This guideline will be used to provide protect payment data before, during and after a purchase is made. Under the new provisions, companies will need to make sure that they add multi-factor authentication as a requirement for any staff members who have administrative access into the areas that handle card data. Previously, the guidelines only required that this be applied as part of remote access via untrusted networks.
The new guidelines also mandate a migration to a more sophisticated SSL/TLS encryption, as well as other updates.
Some critics predicted that the new changes may be confusing for many users. “By setting a two-year window to become compliant, the PCI SSC may have inadvertently set up a period of greater confusion for end users, who will need to take extra care to ensure that their data is adequately stored and protected, and that third-party providers guarantee a high degree of security and compliance,” Chris Scott of The Bunker told InfoSecurity Magazine.
“Cloud providers that are only compliant with older PCI DSS regulations than 3.2 will be leaving their customers more vulnerable to attack, and the fact that it will take some up to two years to meet the requirements show how far behind many cloud providers are,” he added.