PCI Standard’s Multi-factor Authentication Mandate Delayed ‘Til 2018
Deadlines for compliance for two of the most important mandates in PCI DSS version 3.2 have been delayed to 2018.
The PCI Security Standards Council (PCI SSC) last month published a new version of its data security standard (DSS), used to safeguard payment data before, during and after a purchase is made. The new version features several significant changes, including adding multi-factor authentication as a requirement for any personnel with administrative access into environments handling card data. Previously this requirement applied only to remote access from untrusted networks.
Additionally, it requires a migration to more modern SSL/TLS encryption, and features mandates for organizations to ensure security controls are in place following a change in their cardholder data environment, among other updates.
PCI DSS 3.2 replaces 3.1 which will expire on October 31—this means that after that, all organizations will need to validate their compliance using v3.2 instead of 3.1, just like any previous version of the DSS. However, that deadline is extended for both SSL/TLS migration (extended to July 2018) and multi-factor authentication (which must be deployed by 1 Feb. 2018).
It’s a state of affairs that could cloud things for everyone, according to Chris Scott, program director at The Bunker.
“By setting a two-year window to become compliant, the PCI SSC may have inadvertently set up a period of greater confusion for end users, who will need to take extra care to ensure that their data is adequately stored and protected, and that third-party providers guarantee a high degree of security and compliance,” said Scott. “Cloud providers that are only compliant with older PCI DSS regulations than 3.2 will be leaving their customers more vulnerable to attack, and the fact that it will take some up to two years to meet the requirements show how far behind many cloud providers are.”
Other specialists however say that concern is overblown.
“The two specific requirements mentioned above affect many organizations and are not very easy to fix, especially if you have complex legacy infrastructures,” Neira Jones, independent advisor and non-executive director at both Cognosec and Pay:Way, said in an interview. “You have to put yourself in the shoes of the SSC: they rely on feedback from their members, the participating organizations. In this instance, I believe that the participating organizations have fed back that they needed more time of those two points, and the SSC has to listen to their members, that is the nature of the beast.”
She added, “It also has to be said that whilst those deadlines are set in 2018, the SSC clearly recommends that these requirements should be complied with as soon as possible. And whilst I, like many other infosec professionals, would like to see early SSL/TLS eradicated and MFA deployed everywhere, we have to face the harsh reality of our environment, and I can’t blame the SSC for that.”
“In my opinion, this situation doesn’t introduce new risk—it simply heightens awareness of an existing risk,” said Dwayne Melancon, CTO at Tripwire, speaking to Infosecurity. “I agree that the time frame for resolution is fairly long, but it can take time for organizations to implement changes in complex environments.”
He added, “In the meantime, there is a middle ground that is workable—that middle ground involves increasing the amount and rigor of monitoring around the in-scope infrastructure and storage. Understanding what ‘normal’ behavior in the environment looks like is crucial, then the intensive monitoring can more easily identify abnormal behavior, which could indicate a compromise of data. That approach will help mitigate the risk of data theft until the proposed changes are completed.”
Source | Infosecurity-Magazine