New PCI Security Rules

by Raymond Pucci 0

Will enhanced PCI rules be an effective security barrier for payments data? As described in the following article, new PCI requirements, to be issued on April 28, mandate an intended all-encompassing restriction on access to payments data.

When the PCI Security Council issues its new payments security requirements on Thursday (April 28), it is going to impose new rules about authentication and service providers. What is intriguing about the new edicts in 3.2 is the council’s new acknowledgment that to protect payment, protections have to happen in the larger corporate universe.

For quite some time, the rules have required multifactor authentication for people who work directly with any payments data. Bowing to real-world reality, PCI will, as of Thursday, insist on multifactor authentication for anyone whose network access privileges might possibly enable them to touch payments data, whether it’s their job or not. In other words, the universe of people who will have to abide by PCI rules just got a lot larger.

PCI Chief Technology Officer Troy Leach said that expanding the people impacted far beyond those who have payments data jobs is now necessary.

“The most important point is that the change to the requirement is intended for all administrative access into the cardholder data environment, even from within a company’s own network. This applies to any administrator, whether it be a third party or internal, that has the ability to change systems and other credentials within that network to potentially compromise the security of the environment,” Leach said. “This will not impact machine authentication where one system is communicating with another as it is intended for personnel authentication, nor will it impact administrators accessing directly from the console.”

The point? Either wall off your payment data so that no one beyond the small set of authorized persons can get access, regardless of network privilege, or force everyone to play by PCI rules. Here’s the kicker: They already should have been playing by PCI rules. As much as PCI is far from perfect, its guidelines are indeed very well-thought-out best practices for retail and, as a practical matter, just about every vertical.

As with any revised security regulation roll-out, the key will be fast and complete communication of the enhanced rules and then universal compliance. That would seem to be an ambitious goal given the amount of temporary staff and contractors that are now interwoven in the organizational structures of every company. We will see soon enough if the new PCI rules have sealed the leaks.

Overview by Raymond Pucci, Associate Director, Research Services at Mercator Advisory Group

Read the full story here