Connect with us
Finance Digest is a leading online platform for finance and business news, providing insights on banking, finance, technology, investing,trading, insurance, fintech, and more. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.


By Gavin Buckton, senior security consultant at Nettitude

If your organisation doesn’t store, process, or transmit payment card information – or provide a service that could impact your clients’ Cardholder Data Environment (CDE) – you can look away now.  If you do, however, you’ll need to understand how the latest version of the Payment Card Industry Data Security Standard (PCI DSS) will affect your business.

Twelve years on from PCI DSS’ debut in December 2004, version 3.2 has now formally been launched.  Breaking away from the traditional three year release cycle, the latest iteration brings with it a number of additions and changes.

Version 3.2 is by no means the finished article.  For as long as we have payment cards and fraudsters seeking innovative ways of acquiring our assets, we can expect PCI standards to continue to evolve.  In recognition of this ‘war of attrition’, as cyber criminals build increasingly sophisticated weapons, the standard will continue to adapt accordingly, by mandating suitable countermeasures.  From this moment on, new versions will be developed and released as and when required in direct response to the various emerging threats.  The PCI Security Standards Council (PCI SSC) will monitor the threat landscape, review breach reports, while keeping abreast of technological changes, and feed this into future iterations of the standard.

What’s new?

In summary, the updated standard includes requirements for multi-factor authentication for accessing the CDE; previously in place for remote access, this will now be extended to include local access too.  This change will provide greater protection from malware based attacks, where, for instance, IT support systems have been compromised by a form of malicious software, such as a key-logger, which results in the usernames and passwords of CDE systems being captured and subsequently used for unauthorised access.  With multi-factor authentication, such as one-time-password or digital certificates employed, this becomes a significantly more challenging attack vector for hackers to bypass.

Service providers will also undergo additional scrutiny of their change management processes, and penetration testing will be required on a more frequent basis.

What are the implications for businesses?

While the changes are relatively minor, the move away from the traditional three year release cycle will have the most noticeable long term impact and should deliver significant benefits, as changes to the standard will now be released in direct response to actual threats and incidents observed in the field.  Compliance requirements and the threat landscape are converging, with smaller, frequent changes to control architecture now the order of the day.  With this strategic shift comes a requirement to more quickly adapt to change.

For an agile organisation that is able to incorporate technology and process changes relatively seamlessly, this will be a smooth process, as the new approach is likely to have a smaller impact.  However, for those with a more inflexible set up, the change of PCI DSS release frequency is likely to present more challenges.

Top tips for maintaining compliance under the new regime

  • First and foremost, businesses must keep abreast of any changes and ensure that checking for updates is part of their ongoing internal routine. This will allow as much time as possible to incorporate any required changes into the environment
  • Ensure programme and project lifecycles take security and compliance into account at the outset; it should not be left to the final stages of testing before realising a new web application for processing payments is non-compliant, for instance
  • Recalibrate the risk register; the financial implications of non-compliance can be significant and should therefore be factored in. Unlike other risks, the likely impact of non-compliance can be confidently predicted.  The risk register should also be reviewed on a regular basis to ensure compliance efforts are given appropriate priority
  • Investigate the latest technologies in areas that can reduce PCI scope and compliance burden, such as tokenisation and encryption. The less an organisation has to worry about remaining compliant, the less likely they are to suffer as a result of continually shifting compliance goalposts

The PCI SSC’s decision to make incremental changes to the standard in response to shifts in the threat landscape is a step in the right direction.  Those organisations that keep abreast of changes and implement the new control requirements in a timely manner, will shorten the window of opportunity for cyber criminals to exploit weakness in systems and process, and decrease the negative impacts of fraud as a result.

Continue Reading

Why pay for news and opinions when you can get them for free?

       Subscribe for free now!

By submitting this form, you are consenting to receive marketing emails from: . You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact

Recent Posts