Here’s a quick look at the requirements service providers are expected to do for PCI DSS 3.2 and 3.2.1.
* PCI 4.0 is now the latest version of the PCI DSS
The PCI Council released PCI DSS 3.2 in April 2016, which introduced several new requirements for service providers. On February 1, 2018, these new requirements became mandatory for compliance. Then in May of 2018, the council released PCI DSS 3.2.1. This latest version does not add or remove any requirements for service providers.
Here’s a quick look at the requirements that became mandatory in 2018, and what service providers are expected to do to follow them.
Service providers need to maintain a documented description of cryptographic architectures, including:
You should keep up with evolving threats to your architecture by planning for and documenting updates (e.g., different algorithms/key strengths changes). Maintaining documentation helps you detect lost or missing keys or key-management devices, and identify unauthorized changes to your cryptographic architecture.
See also: PCI DSS Requirement 3: What You Need to be Compliant
Service providers are required to implement a timely detection and alerting process to identify failure of a critical security control systems.
Examples of critical security control systems include:
Service providers need to respond to failures of any critical security controls in a timely manner.
Processes for responding to failures in security controls must include:
Executive management needs to establish responsibility for the protection of card-holder data and a PCI DSS compliance program to include:
Smaller organizations should add these roles to an individual’s job responsibilities, while larger organizations might need to establish a PCI compliance team (e.g., a compliance team made up of IT, accounting, and management).
Whichever is the case, management should give their PCI officer/team power to act and implement necessary changes to become PCI DSS compliant, as well as have at least monthly meetings with executive management to report on progress.
See also: What are Service Provider Levels and How Do They Affect PCI Compliance?
Service providers need to perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. Reviews must cover the following processes:
In addition, you need to maintain documentation of quarterly review process, including:
These reviews help to ensure that security policies and procedures are being followed as expected. Keep records, including dates and findings of these quarterly reviews.
Service providers who use segmentation to isolate the cardholder data environment from other networks must perform penetration testing on segmentation controls at least every 6 months and after any changes to segmentation controls/methods.
This penetration testing should be performed by a qualified internal resource or third party. If an internal resource is used, the tester should have organizational independence (though they aren’t required to be a QSA or ASV). The purpose of penetration testing segmentation controls/methods is to verify that the cardholder data environment is protected from unauthorized access.
See also: New 3.2 Requirements for Penetration Testing and Segmentation: What You Don’t Know
.svg)
