PCI DSS 3.2: Is It Enough to Protect Cardholder Data?

PCI DSS 3.2 consists of 12 requirements spread across six domains. Since the main goal of PCI is protecting cardholder data, these requirements focus on user access to the servers that host this data, or servers through which this data passes. But is PCI 3.2 enough to protect cardholder data, or do organizations need additional protection?

Understanding PCI DSS 3.2

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card suppliers, such as Visa, MasterCard, American Express, and Discover. The standard was created to reduce credit card fraud by increasing the controls around cardholder data.

PCC DSS 3.2 was released in April of 2016 and specifies 12 requirements for compliance, organized into the following six domains:

• Build and maintain a secure network
• Protect cardholder data
• Maintain a vulnerability management program
• Implement strong access control measures
• Regularly monitor and test networks
• Maintain an information security policy

“The payments industry recognizes PCI DSS as a mature standard, so the primary changes in version 3.2 are clarifications on requirements that help organizations confirm that critical data security controls remain in place throughout the year, and that they are effectively tested as part of the ongoing security monitoring process,” per PCI Security Standards Council General Manager Stephen Orfei. “PCI DSS 3.2 advocates that organizations focus on people, process, and policy, with technology playing an important role in reducing the overall cardholder data footprint.” 

Implementing PCI DSS 3.2

Industry experts agree that privileged access security is among the most important PCI DSS 3.2 compliance aspects because it allows organizations to implement a scalable, non-intrusive solution to the specific requirements of PCI DSS. Proving compliance can be an exhaustive process, so automating compliance reporting is crucial for efficient and effective monitoring and documenting.

For example, the Centrify Server Suite allows centralized management of user identities and servers, user authentication, role-based access control, session recording, and reporting services to meet compliance auditing requirements. It combines comprehensive bridging of Linux and UNIX systems to Active Directory with powerful privilege management, multi-factor authentication, and session monitoring across Windows, Linux, and UNIX systems. The net result is increased security, improved compliance, and comprehensive reporting and auditing.

In addition, Centrify Privilege Service™ (CPS) provides shared account password management and secure remote access to resources. Together, they help organizations address PCI DSS 3.2 requirements concerning privileged account management and usage, and provide control over access to resources that are protected within the scope of PCI DSS.

So is PCCI DSI 3.2 enough?

The short answer is yes, PCI DSI 3.2 is enough to protect cardholder data—if organizations leverage proven technologies and processes to efficiently ensure individual accountability of privileged access, a key tenant of PCI DSS requirements.

The longer answer is that forward-thinking organizations will take the time to review PCI DSI 3.2 requirements and explore how automated solutions can help you ensure compliance across the board. For additional information, download the whitepaper Becoming PCI DSS Compliant.