PCI 3.2 Best Practices Will Soon Be Mandatory: Prepare yourself for February 1st 2018

Abhishek Rai by   01.29.2018   Compliance


The implementation deadline for PCI DSS 3.2 is February 1st 2018. After this date, the recommendations of the compliance will no longer be simply “best practices”, they will be mandatory.

The new requirements will apply to all merchants and service providers who store, process or transmit credit card payments from Visa, MasterCard, Discover and American Express. The new updates are stronger security measures against cyber-attacks.

In this article, we will cover 12 new requirements as stated in PCI DSS 3.2 that you need to ensure you are able to meet.

1. Install and maintain firewall configuration to protect cardholder data

This requirement protects systems and networks, and prepares you to respond to a system breach. It requires you to constitute and enforce firewall and router configuration standards. The aim is to stop connections between untrusted networks and computers containing cardholder data. It also requires you to prevent direct public access between the Internet and any computer storing or processing cardholder data. Install firewall software or equivalent applications on computers that connect to the Internet when outside company’s network.

2. Change default passwords for computers and other security parameters to a difficult password

As per this requirement, you will have to change default passwords and deactivate unnecessary default accounts before connecting a system to a network. Prepare configuration standards for all systems’ components. Ensure that this standard can deal with all known security risks and is in line with industry accepted standards (like ISO, CIS, and others). Encode all non-console administrative access strongly. Create and maintain an inventory of PCI DSS relevant system components. Make documents of all policies and functional procedures for handling all security parameters and ensure that it is in use, and is known to all applicable parties. Shared hosting providers should defend all client’s hosted-environment and cardholder data. These steps will also secure payment card applications.

3. Protect stored cardholder data

This requirement targets are protecting stored cardholder data (CHD). Don’t store CHD for long based on proper data retention and disposal policies. Don’t store authentication data after authorization. When using PAN, mask it when displayed and make it unreadable where it is stored. Document processes to protect keys used to secure stored CHD. Ensure that security policies to protect stored CHD are documented and conveyed to all parties.

4. Encrypt when you transmit card holder data across open, public networks

This clause aims to protect systems and networks, and helps you to be ready to respond to a system breach. Use strong code and security protocols to protect CHD when you transmit it over open, public networks. Don’t send uuencoded PANs through end-user messaging technologies such as email, instant messaging and others. Document security policies to protect CHD when you transmit it, and ensure that the policy is known to all relevant parties.

5. Use strong anti-virus software and regularly update it

When you implement this clause, you can protect systems and networks, and also handle a system breach. Install the latest anti-virus software on all computers and servers that malicious software can affect. Update antivirus, do periodic scans, ensure that it runs correctly, generate audit logs and retain them as per PCI DSS requirement. Document and implement security policies to protect computers against malware attacks.

6. Establish and maintain secure systems and applications

This step secures payment card applications, settles compliance efforts, and ensures all controls are applied. Create a process to identify security vulnerabilities, and assign a risk ranking value to them. Protect all software programs (Including operating systems) and system components from known vulnerabilities by installing important security patches and updates within a months’ time from release.

Always develop internal and external software applications as per PCI DSS standard or industry standard. All changes to systems and applications must be followed through change control process. Create applications through secure coding guidelines. Protect public-facing web application from new threats and vulnerabilities on a continuous basis. Implement and document security policies for developing and maintaining secure systems and applications.

7. Ensure that only authorized people can access cardholder data

Ensure that only authorized people can access system components and CHD. Implement the least access policy; where access is by default set to “deny all”, unless otherwise required. Ensure that CHD access policy is documented and known to all. Third-party auditing solutions may help to fulfill this requirement. LepideAuditor, for example, can help you implement PCI DSS 3.2 compliance through pre-defined reports.

8. Identify each user and non-consumer user with a unique ID

Define and implement policies for user identification management for both users and administrators who handle CHD. Ensure proper user-authentication management for these users and administrators on all system components. Secure all administrative access and all remote access using multi-factor authentication. Document and pass on authentication policies to all users.

9. Limit access to CHD physically

Protect stored cardholder data. Control physical access to systems in the cardholder data environment. Implement procedures to identify and authorize onsite personnel and visitors easily. Physically ensure the safety of all storage media. Control internal and external distribution of all media. Document and implement security policies to restrict physical access to cardholder data.

10. Audit access to network resources and cardholder data

Audit all user accesses to each system component, and record complete audit data. Use time-synchronization technology (like NTP), to synchronize all important system clocks, use standard time format, and protect all the related data. Retain audit data for at least one year. Service providers should implement a process to timely detect and report security control systems failure like Firewalls, IDS/IPS, and others.

11. Put security systems and processes to all kind of tests

Test for presence of all authorized and unauthorized wireless access points (802.11). Do network vulnerability scans regularly, and do penetration testing using standard technology. Detect and prevent network intrusion into the network.

12. Create an information security policy for all personnel

Through this requirement, you can settle compliance efforts, and ensure all controls are in place to protect systems, and react to system breaches. Do a risk-assessment at least annually and develop usage policies for important technologies. Clearly define information security responsibilities for all personnel. Assign information security management responsibilities to an individual or team, and it applies to service providers as well.

With its predefined dedicated reports, LepideAuditor helps you in meeting the requirements of PCI compliance.


Lepide® is a Registered Trademarks of Lepide Software Private Limited. © Copyright 2018 Lepide Software Private Limited. All Trademarks Acknowledged.