It is essential for any organization that processes, stores or transmits credit card data to be compliant with the Payment Card Industry Data Security Standard (PCI DSS)—and as the world’s largest cloud-native company, Cloudreach certainly falls within these parameters.
Managed service providers (MSPs) provide a valuable service by outsourcing information technology services, but they need to be compliant with the Payment Card Industry Data Security Standard (PCI DSS) – and just because they say they’re PCI DSS compliant doesn’t mean they’re a good fit. Below are our tips to go beyond the PCI DSS logo on an MSP’s website and determine whether they’re truly compliant.
Earlier this year, we wrote about how to prepare for PCI DSS 3.2. Now, organizations should begin to implement changes with the PCI DSS 3.2 official release.
These standards should be adopted as soon as is possible, as version 3.1 will expire on October 31, 2016 with all new requirements being implemented February 1, 2018 to allow organizations to prepare. Until that point, any changes are simply considered best practices.
PCI DSS 3.2 Changes
Specific changes include:
- Additional multi-factor authentication for administrators within a Cardholder Data Environment (CDE)
- Incorporating some of the Designated Entities Supplemental Validation (DESV) criteria for service providers
- Clarifying masking criteria for primary account numbers (PAN) when displayed
- Including the updated migration dates for SSL/early TLS that were published in December 2015.
In addition, the PCI DSS Supplemental Designated Entities Validation criteria has officially been added as an appendix to the standard, with some PCI DSS requirements (3, 10, 11, 12) including DESV controls for service providers.
If you are unsure about how the changes may affect your specific environment, the professionals at A-LIGN are ready to help your organization determine how PCI DSS 3.2 will impact you, as well as develop an appropriate course of action. For current clients, A-LIGN’s PCI DSS experts will be reaching out to determine how PCI DSS 3.2 affects them.
If you have questions regarding PCI DSS or how version 3.2 may impact your specific environment, please contact A-LIGN. Our PCI DSS specialists are available to answer your questions at email@example.com or 1-888-702-5446.
By: Gene Geiger, Partner of A-LIGN
Following the 36 month lifecycle the PCI Security Standards Council (“Council”) has established for the published standards, Version 3.0 of the PCI Data Security Standard is in the final stages before it will be released on November 7, 2013.
Through several webinars and documents provided to stakeholders, the Council has provided information on the final draft in order to receive feedback at the 2013 Community that will be held in Las Vegas September 24 – 26.
The core twelve requirements remain the same, but after a review of the changes and guidance provided by the Council, the change to Version 3.0 is more comprehensive than we experienced with previous version changes. However, due to the impact of these changes and the time it may take to fully comply with the requirements of Version 3.0, Version 2.0 may be used for assessment until December 31, 2014. Nonetheless, the Council encourages adoption of Version 3.0 as soon as practical. “PCI Data Security Standard Version 3.0 – Breakdown of Changes to Anticipate”