PCI compliance will now demand a minimum of TLS v1.1

As a business that needs to consider PCI DSS, here are just a few of the changes to the requirements that you’ll need to bear in mind ahead of deadlines in 2018.

It’s easy to become complacent when it comes to PCI compliance. However, it’s important to remember that just because you’ve got your system up to date, that doesn’t mean hackers aren’t still working hard to figure out new ways of accessing sensitive information. Not only will making sure you’re up to date with the latest PCI DSS ensure your systems are safe, but it will also help your company to avoid any fines that will come about as a result of lax security.

The deadline for updating your systems to meet PCI DSS regulations is February 2018, so it’s important for companies to start making updates now. As things stand currently, the rules in PCI DSS 3.2 are considered heavily advisable for companies, but from the February deadline onward, 3.2 will become the legally mandatory requirements.

So, as a business that needs to consider PCI DSS, here are just a few of the changes to the requirements that you’ll need to bear in mind ahead of deadlines in 2018:

Authentication changes

Whereas previously, with PCI DSS version 3.1, your company would only need to accommodate for two-factor authentication, this is changing in February. However, it’s important to note that this is not too drastic a change, it simply means that businesses must be prepared for more than just two forms of authentication.

Included in this change is the fact that multi-factor authentication will now be a requirement for non-console administrative access. This is in addition to the current requirements, which only extend to remote access for the card holder environment.

TLS v1.1 is now a minimum requirement

All previous encryption methods which came before TLS V1.1 are no longer considered viable methods. The new PCI DSS 3.2 requirements state that by June 2018, all companies must have migrated to an encryption method that is either TLS v1.1 or equivalent. It’s a good idea to even consider the more recent TLS v1.2, as it’s likely that industry requirements will soon shift to v1.2.

Using a recent encryption system isn’t just important for complying with the new PCI DSS, however. Without recent technology that hackers are yet to understand, you are leaving your business and your customers vulnerable to fraud. By updating your systems generally, you can help to avoid this.

Being DSS/PCI compliant means that we can no longer support Internet Explorer 10. As it stands, Internet Explorer 10 does not support TLS v1.2, which is the minimum requirement for DSS/PCI compliance.

What is PCI compliance?

Before answering this burning question, it’s helpful to begin by looking at what PCI (and its counterpart DSS) stands for — Payment Card Industry Data Security Standards.

These are a set of requirements that are to be followed by all companies and merchants accepting payment from customers via credit or debit card. If you’re a business owner and you accept, process, transmit or store cardholder data, then you’re required to comply with PCI Security Standards to ensure a secure payment card environment. PCI compliance is expected of all Australian business, irrespective of their size.

iFactory is a leading digital agency located in Brisbane, Australia. With years of experience in the industry, we help satisfied clients with their digital queries every day. If you need help ensuring complete PCI DSS compliance in line with the new standards, or with any other element of ecommerce systems integration, why not get in touch with us today. A member of our friendly team will be happy to tell you more about the services we offer or answer any questions you might have.

Read more insights