PCI - Ratcheting up Security Requirements
Last year, PCI DSS version 3.1 came out and caused a stir by eliminating SSL as an approved component of infrastructure. As significant as that was, version 3.2 has changes that are even further reaching and potentially disruptive to the way that we manage our businesses and environments.
The major new requirement is to required Two Factor Authentication for ALL access to PCI data. Previously only untrusted, remote access required the use of TFA.
Think about what this means and the potential increases in cost for organizations.
All internal employees access cardholder data must have TFA. All consultants, Business Associates and partners who have access to cardholder data must have TFA. This includes whether they are accessing the data remotely or internally within the organizationas own network.
Software development and testing as well as systems integration and analytics will now be subject to increased costs and require additional processes and controls to monitor the additional layer of security.
Many organizations are moving to DevOps, which increases the pace of software delivery. How will they react to this new requirement? Can they quickly, safely and repeatedly have card data removed from their environments? Do they even know where their sensitive data is located? Can they certify that environments that had been secured remain secure?
Or will they invest in biometrics?