Written by Eliott C. Ponte, Regulatory Compliance Counsel
Last month, the Payment Card Industry Security Standards Council released an update to its data security standards, version 3.2. The new version of the Payment Card Industry Data Security Standard (PCI DSS) will replace the current version, version 3.1, which is set to expire on October 31, 2016.
At NAFCU compliance, from time to time, we receive general questions on PCI compliance. While no one at NAFCU holds themselves as PCI Compliance expert, I wanted to answer some general PCI questions that the compliance team frequently receives, as well as highlight some of the changes to version 3.2.
What is PCI DSS?
PCI DSS is an information security standard for organizations designed to ensure certain intuitions process, store, or transmit credit card information. This standard provides operational requirements to protect card data against unauthorized access, use, or disclosure. PCI DSS is administered by the Payment Card Industry Security Standards Council, which is an organization founded by the major credit card brands (MasterCard, Visa, American Express, Discover, etc.).
Who must comply with PCI DSS?
PCI is a contractual compliance requirement issued by the major card brands. PCI DSS generally applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers as well as all other entities that store, process, or transmit cardholder data and/or sensitive authentication data. Credit unions may be both merchants, if the credit union allows cash withdrawals from credit cards at the teller line, and service providers, if their member’s credit card information stored on their systems.
Periodic validation of compliance is usually required. Non-compliance with PCI DSS requirements could result in potential liability, including fines levied by the payment card brands and the CFPB. Each payment card brand has its own program for compliance, validation levels, and enforcement. More information about compliance can be found at the links below:
- MasterCard: mastercard.com/sdp
- American Express: americanexpress.com/datasecurity
- Discover: discovernetwork.com/fraudsecurity/disc.html
- JCB International: http://partner.jcbcard.com/security/jcbprogram/
- Visa Inc: visa.com/cisp
What Does Version 3.2 Change?
According to the PCI press release on version 3.2, the primary changes are clarifications on requirements that help organizations ensure critical data security controls are in place, monitored, and effectively tested. Nevertheless, the updated PCI DSS changes are significant.
One major change to PCI DSS is that version 3.2 implements a multi-factor authentication process for all personnel with non-console administrative access and all personnel with remote access to the cardholder data environment. Another major change affects requirements for entities using Secure Socket Layer/early Transport Layer Security for encrypted data transmission, and the integration of Designated Entities Supplemental Validation assessment.
Credit unions that meet the definition of service providers will want to pay particular attention to the new requirements imposed on them. For example, service providers will be required to maintain a documented description of the cryptographic architecture, detect and report on failures of critical security control systems, and perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. Requirements 3.5.1; 10.8; 12.11. In addition, executive management is now responsible for the protection of cardholder data and PCI DSS compliance. Requirement 12.4.1.
For a high-level overview, the Payment Card Industry Security Standards Council released a summary of the changes from version 3.1 to version 3.2. The summary places changes into three different categories: (1) clarifications to existing rules, (2) additional guidance, and (3) “evolving requirements” (updated or new requirements). Credit unions should note that “evolving requirements” have an effective date of February 1, 2018. Credit union’s that are required to conduct PCI compliance should carefully review this document to determine how the new version affects their security standards. Other resources available to credit union's include a quick reference guide, a version 3.2 resource guide, a PCI FAQ database, a guide on migrating from SSL and Early TLS, and a version 3.2 high-level webinar. The Security Standards Council also has a blog, which provides some background commentary on the changes.