If you are a merchant who has outsourced PCI DSS responsibilities to a third party, it may be prudent to ascertain how the provider is planning to meet the requirements coming into action by the end of 31 January 2018. Whilst this date may seem reassuringly distant, planning and implementing the changes could take a significant amount of time – and it is never too early for merchants or providers to consider how to meet these new requirements.
The new requirements in PCI DSS 3.2 necessitate the utilisation of multi-factor authentication to offer more comprehensive identity management. It is vital that affected merchants utilise the 18 months until the requirement comes into effect to comprehensively implement multi-factor authentication so it does not impact the customer journey or usability.
Staying abreast of upcoming changes in advance of them becoming mandatory can accommodate smoother progression, and ensure future updates can be met with minimal fuss. Merchants should use the time before 31 January 2018 to ensure user account administration is centralised whilst consolidating access methods and entry points to CDE systems.
If you are working with a third party provider, offering cardholder data handling and processing, we’d recommend staying in continuous contact over the coming year and a half – to ensure all requirements are met when they come into effect at the start of 2018.
Tom Eggleston, Managing Director of ProofID, explains:
PCI DSS v3.2 was released in April 2016, becoming the eighth information standard for organisations handling branded credit cards. Administered by the Payment Card Industry Security Standards Council, the first PCI DSS version was released in December 2004, stipulating a 12-point requirement list to protect cardholder data, and build a secure network.