News & Resources

How lenders can prepare for PCI DSS 3.2

Oct 07, 2016 Dave King

How lenders can prepare for PCI DSS 3.2

Enterprises that handle consumer credit and payment data in any manner must reassess their security capabilities if they wish to comply with the Payment Card Industry Data Security Standard Version 3.2.

"A big focus in v3.2 is multi-factor authentication."

The PCI Security Standards Council published the standard in April, in lieu of 3.1's expiration at the end of October. Lenders that reference consumer payment information to assess customers' creditworthiness must be cognizant of several changes PCI DSS 3.2 introduces.

What's new in PCI DSS 3.2?
A big focus in v3.2 is multi-factor authentication, which applies to all personnel with non-console administrative access or remote access to cardholder data environments (CDEs). The PCI DSS Quick Reference Guide specified that, when employing multi-factor authentication, businesses must use at least two of the following verification methods:

  • A password or phrase
  • A token device or smart card
  • Personal biometric information

For example, if one of your administrators wanted to enter a CDE from his home, PCI DSS 3.2 specifies he would have to submit a password to the system as well as scan a smart card to view information within the system.

PCI DSS 3.2 also added several new requirements regarding system penetration testing, compliance process assessments, and general security controls monitoring. Specifically, organizations must architect and employ a penetration testing method that reviews the organization's vulnerability to internal and external threats. In addition, the business must perform that test annually at minimum.

Service providers - including payment processors, consumer credit bureaus and POS developers - must conduct reviews of their security policies and operational procedures on a quarterly basis. It's important to note this will be a requirement as of February 1, 2018.

Does your organization have a breach response strategy?

Achieving PCI DSS 3.2 compliance
Unfortunately, many companies fail to meet PCI DSS 3.0. Verizon's 2015 Compliance Report showed 80 percent of businesses fail their interim PCI compliance evaluations. In fact, MicroBilt is one of the few companies that consistently follows the latest PCI DSS versions, as it adheres to PCI DSS 3.1.

With respect to achieving PCI DSS 3.2 compliance, PCI SSC recommended taking its Prioritized Approach. This strategy entails addressing six security concerns in a way that limits operational disruption:

  1. Delete sensitive authentication data and minimize​ data retention: Removing cardholder information from storage environments reduces the costs of a data breach if it occurs.
  2. Establish system and network controls: Dictate who can access databases, applications and networks as well as set up a breach response plan.
  3. Protect payment card applications: Identify weaknesses across the application code, processes and host servers.
  4. Monitor access to infrastructure: Figure out a way to know the who, what, when and why of each system interaction.
  5. Defend cardholder data: For those businesses that need to store primary account numbers, use tokenization, end-to-end encryption or other technologies that mask information.
  6. Reassess your compliance efforts: Analyze all of your policies, procedures and operations to determine if any other vulnerabilities exist.

As a lender, ensure the bureau from which you receive consumer credit data employs technology and processes in-line with the latest PCI standards. MicroBilt not only employs two-factor authentication, but also contracts a third-party to audit its infrastructure for security vulnerabilities. If you want to learn more about how we secure our assets, speak with one of our consultants today.