The Payment Card Industry ( PCI ) Data Security Standard version 3.2 is set to be released later this month, according to the PCI Council.
This new version was created to make storing payment data more secure. PCI DSS version 3.1 was released in April 2015 and, according to Payments Source, will expire Oct. 31, 2016. One of the biggest differences between the two is that multifactor authentication is now required of any person accessing cardholder data.
Troy Leach, chief technology officer of the PCI Council, said in an interview that older standards required untrusted parties accessing cardholder data remotely to verify themselves with two-factor authentication. Now, any person accessing the data environment has to use a minimum of two credentials to verify their identity. The council switched terms from two-factor to multifactor to account for the fact that more than two credentials can be used.
Leach said organizations need to review their current authentication process to prepare for 3.2. They must also look at the role of every person who has access to payment data to identify who will need additional verification.
What does this new standard mean for businesses?
Essentially, PCI 3.2 means organizations dealing with payment card data will be subject to even higher security standards. Businesses handling consumer information must enforce multifactor authentication among applicable employees or risk falling out of compliance. While adhering to PCI guidelines isn't legally required, doing so prevents businesses from liability in the event of a security breach.
Unfortunately, maintaining PCI compliance on one's own isn't exactly easy. Many emerging business owners don't have the time or resources to dedicate themselves to safely storing payment data. Even larger companies have difficulty adhering to PCI guidelines.
One way businesses can lessen the responsibility of PCI standards is by using a payment processing company that is PCI compliant. Such organizations know the ins and outs of the Data Security Standards and keep card data separate from individual businesses.
In addition, PCI DSS 3.2 has requirements specifically for third-party service providers. This lessens the chance that secure and compliant businesses will suffer as a result of data breaches from the companies handling their payments.
"Service providers play an important role in securing cardholder data for their customers," Leach said in the interview. "An organization could go to great lengths to protect their internal network only to see a third party negate all of their effort as indicated in data breach reports."
Processing companies and merchants are rated on a tier system. Level 1 organizations handle the most transactions and therefore have the strictest guidelines. Level 4 businesses process the fewest transactions. Businesses should always choose a payment processor with the highest PCI level possible.