Ë
By Jason Wittick and Mariann Utrosa • September 29, 2016

Imminent Changes for Payment Cards

marvel.jpeg

MasterCard 2-Series BIN Expansion

On November 3rd, 2014, MasterCard announced it was introducing a new series of bank identification numbers (BINs) and that they will start issuing these new BINs by June of 2017
A BIN is used to identify the issuer of a particular credit card, and is represented by the first 6 characters of all payment card numbers. Mastercard BINs have traditionally started with a 5. This new expansion is being referred to as the ‘2-series BINs’ because the new pool will begin with numbers ranging from 222100 - 272099.

Beginning in October, 2016, merchants including those that use a third-party processor, shopping cart, terminal provider, etc. must prepare their systems to accept and support new 2-series BINs for card present and card not present payment channels. All merchants need to be compliant and ready to support the new 2-series BINs by January 1st, 2017.

MasterCard will begin merchant field testing of the new numbers on June 30th, 2017, and any failure to accept a 2-series BIN card by June 30th, 2017 may result in a non compliance assessment and / or a fine of up to $25,000 per month until delinquent merchants achieve compliance.

PCI-DSS-3.2-4.png

PCI DSS Update to v3.2

The Payment Card Industry Security Standards Council is retiring PCI DSS v3.1 on October 31, 2016 and replacing it with PCI DSS v3.2. Ongoing efforts to protect payment card information will continue within the new version which includes numerous requirement updates and several entirely new requirements for any entity who stores, processes or transmits cardholder data.  The most substantial changes in PCI DSS v3.2 focus two topics:

1) Multi-Factor Authentication

  • PCI Compliance will require multi-factor authentication for administrative cardholder data (CHD) access as PCI DSS v3.2 now mandates use of two or more credentials to authorize individual CHD and cardholder data environment (CDE) access. Examples of suggested authentication factors include:
    • Something you know, such as a password or passphrase
    • Something you have, such as a token or smart card
    • Something you are, such as a biometric

2) Outdated Encryption

Due to their respective and numerous attack vulnerabilities, the Security Standards Council has deemed SSL and early versions of TLS as insecure, and has therefore mandated that organizations must stop using SSL and early TLS as a security control no later than June 30th, 2018. All outdated protocols must be transitioned to TLS 1.2 and a number of payment processors have started to implement these changes already, including Moneris and Chase Paymentech
  • In accordance with the the National Institute of Standards and Technology (NIST), data transport encryption standards for acceptable protection of data have been updated, and as such the Secure Hashing Algorithm (SHA-1) is also no longer considered secure enough for continued use. Commercial certificate authorities stopped using SHA-1 based SSL certificates in December 2015 which means any expiring or expired SHA-1 certificates can no longer be renewed. It is expected that beyond January 01, 2017, most SHA-1 certs will no longer have a useful life

Other Notable Changes in PCI DSS v3.2  - most of which do not go into effect until February 1, 2018:

PCI Section or Requirement

Section or Requirement Description

PCI Scope

Updated to clarify that backup/recovery sites need to be considered when confirming PCI DSS assessment scope

3.3

Updated to clarify that legitimate business needs must be defined for any display of primary account number (PAN) which exceeds the first six / last four digits

3.5.1

New requirement for service providers to maintain a documented description of cryptographic architecture

6.4.6

New requirement for change control processes to include verification of PCI DSS requirements impacted by a change

6.5

Updated to clarify that training for developers must be up to date and occur at least annually

8.3
8.3.1
8.3.2

Updated to clarify ‘two-factor authentication’ ought to be ‘multi-factor authentication’

  • New requirement 8.3.1 speaks to multi-factor authentication for all personnel with non-console administrative CDE access
  • New requirement 8.3.2 speaks to multi-factor authentication for all personnel with remote CDE access

10.8
10.8.1

New requirement(s) for service providers to detect and report on critical security control system failures

11.2.1

Updated to clarify that all ‘high risk’ vulnerabilities must be addressed in accordance with the entity’s vulnerability ranking (as defined in Requirement 6.1), and verified by rescans

11.3.4

Updated to require confirmation that penetration tests are performed by qualified internal resources or qualified external third party

11.3.4.1

New requirement for service providers to perform penetration testing on segmentation controls at least once every six months

12.4

New requirement for service providers whereby executive management must establish responsibility for:

  • protection of cardholder data
  • a PCI DSS compliance program to include accountability
  • a charter to ensure the program is communicated to management

12.11
12.11.1

New requirement(s) for service providers to confirm personnel are following security policies and operational procedures via minimum quarterly reviews and formal acknowledgement of the same

Appendix A2

New appendix with additional requirements for entities using SSL / early TLS, incorporating new migration deadlines for removal of SSL / early TLS, specifically:

  • Before June 30, 2018 - existing implementations of SSL and TLS 1.0 and 1.1 must have a formal Risk Mitigation and Migration Plan in place
  • After June 30th, 2018 - stop using SSL and early TLS as a security control

 

A complete summary of all changes from PCI DSS v3.1 to v3.2 can be found here: Summary of Changes from PCI DSS Version 3.1 to 3.2.

Does your security profile satisfy the updated PCI DSS requirements? Are payment gateways and processors within your security perimeter ready to support 2-series Mastercard BINs?

DataStealth already employs only the strongest, most up-to-date, most reliable encryption protocols and can easily inject multi-factor authentication mechanisms into any traffic stream. Our solution enhances user authentication security and provides an immediate, PCI DSS v3.2 compliant security uplift simply by placing it in the line of traffic.

Download Now

Contact Datex to learn more about how we can help your organization.

Schedule My Meeting