INTRODUCTION & CHANGES IN PCI-DSS V3.2
The Payment Card Industry Data Security Standard (PCI- DSS) was developed to follow the policy and standards of cardholder data security which consistent data security measures globally. PCI- DSS provides a minimum of technical and operational requirements to protect data of the cardholders. PCI -DSS applies to all operation which involved in payment card processing of cardholder data.
The below describes the changes in PCI-DSS v3.2 from version 3.1.
AREAS EMPHASISED IN V3.2:
CHANGE MANAGEMENT PROCESS:
- The Change Management Process is done to perform the secure changes during the process based on the business requirement.
ADMINISTRATIVE ACCESSING:
- The Administrative privilege is given only to the single user were the particular can gain the read, write and execute access to the changes in the environment.
INCIDENT RESPONSE:
- Incident response is nothing but when there is an issue raised in the environment the action is taken based on the severity of the problems.
E-COMMERCE – A-EP ENVIRONMENTS:
- the “Expected Testing” column is based on the testing procedures in the PCI DSS and provides a high-level description of the types of testing activities should be performed to verify that a requirement has met.
SAQ VERSION | # QUESTIONS V3.1 | # QUESTIONS V3.2 | DIFFERENCE |
| SAQ D-SP | 347 | 369 | +22 |
| SAQ D-MER | 326 | 331 | +5 |
| SAQ C | 139 | 162 | +23 |
| SAQ A-EP | 139 | 193 | +54 |
| SAQ B-IP | 83 | 84 | +1 |
| SAQ C-VT | 73 | 80 |
+7
|
| SAQ B | 41 | 41 | 0 |
| SAQ P2PE-HW | 35 | 33 | -2 |
| SAQ A | 14 | 22 | +8 |
MASKING THE PAN NUMBER
DISPLAYING THE PRIMARY ACCOUNT NUMBER
- First six and last four digits of PAN can be displayed based on the current requirement.
For a legitimate business need the pan number must be encrypted. Follow Requirement 3.3 for further reference.
CHANGE CONTROL
CHANGES IN CHANGE CONTROL IN V3.2
- Maintain proper documentation when any change control issued.
- Implement all the necessary control in all the new and existing systems or devices.
- Change control processes must include verification of PCI DSS requirements impacted by a (significant) change. Fallow Requirement 6.4.6 which is effective from Feb 1, 2018.
HIGH-RISK VULNERABILITY MANAGEMENT
INTEGRATE VULNERABILITIES INTO THE RISK ASSESSMENT PROCESS
- Ensure all “high risk” vulnerabilities must be addressed for internal scans and resolved.
- By the vulnerability ranking as per Requirement 6.1 and 6.2 in PCI-DSS scope.
- After resolving the vulnerabilities ensure the risk has been cleared by rescanning.
REMOTE ADMINISTRATOR ACCESS TO CDE
ANY NON-CONSOLE ADMINISTRATOR ACCESS TO CDE
- All the non-console access into CDE for personnel with administrative access must implement the multi-factor authentication.
- The current requirement for multi-factor authentication for remote access to CDE for personnel with administrative access still applies according to the PCI-DSS scope.
- Fallow PCI-DSS scope 8.3.1 and 8.3.2 mandatorily from Jan 31, 2018.
RESOURCE
- Refer the following document for the PCI-DSS scope.
- LINK: pcisecuritystandards.org/document_library?category=pcidss
AUTHOR
Dharmesh B
Security Engineer
Briskinfosec Technology and Consulting Pvt Ltd.,
https://www.linkedin.com/in/dharmeshbaskaran/
Posts
