The Payment Card Industry Security Standards Council has issued an update to the Payment Card Industry Data Security Standard (PCI DSS) to provide greater clarity on requirements.

As widely expected, one of the few changes in PCI DSS version 3.2 is the requirement of multifactor authentication for administrators accessing the cardholder data environment, even from within the company’s own network.

Previously, the standard called for the use of multifactor authentication only for remote access to the cardholder data environment from untrusted networks.

To prepare for this change, the PCI Council said organisations should review how they are currently managing authentication into their cardholder data environment, and review the current administrator roles and access to identify where changes to authentication may likely be affected by the new requirement.

PCI DSS version 3.2 also introduces a requirement for services providers to:

Detect and report on failures of critical security control systems;

Maintain a documented description of the cryptographic architecture;

Change control processes to include verification of PCI DSS requirements affected by a change;

Perform penetration testing on segmentation controls at least every six months, rather than annually;

Establish responsibilities for the protection of cardholder data and a PCI DSS compliance programme;

Perform reviews at least quarterly, to confirm personnel are following security policies and operational procedures.

All other changes in version 3.2 are clarifications or additional guidance.

Although the new version replaces version 3.1, which expires on 31 October 2016, the Security Standards Council, which administers the PCI DSS, said companies that accept, process or receive payments should adopt it as soon as possible to prevent, detect and respond to cyber attacks that could lead to breaches.