PCI DSS 3.2 lands, urges you to make haste slowly The 2016 upgrade to the PCI's DSS standard, 3.2, has landed. As foreshadowed in February, the PCI Security Standards Council has eschewed “big bang” updates in favour of more digestible revisions to the standard. And those who adhere to a purist view of infosec probably won't be pleased. For example, as explained by the PCI …
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf
That was at the top of the Document Library on their website.
If the file system is encrypted (and should be for PCI), then physical access doesn't mean you own it.
Also, not all admins are given access into a server room. I know where I work, there are around 40 admins and maybe 4 are allowed in the server room without an escort.
Multifactor authentication isn't a pointless annoyance. Done correctly, it can actually be better than creating new passwords every 60 days.
Using fingerprint scanning plus a PIN or PKI Card plus a PIN makes things rather easy and secure. Much easier than remembering 15+ char passwords you have to change all the time.
The high level changes in PCI DSS 3.2 are new deadlines for 3.2 compliance (2018), multi-factor authentication for users, new guidelines for primary account number masking, and stricter reporting for service providers.
https://blog.varonis.com/a-guide-to-pci-dss-3-2-compliance-a-dos-and-donts-checklist/
This link reviews the 3.2 updates and provides a Dos and Don'ts checklist for fulfilling all PCI DSS requirements.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
