This is the second post in our two-post series on what you need to know about seven important dates in the payments industry.
In our first post regarding those key dates, we covered:
- The U.S. Europay, MasterCard, and Visa (EMV) Standard
- The National Automated Clearing House Association’s (NACHA) Same-Day Automated Clearing House (ACH) Payments Requirement
- The Compliance with Court Orders Act.
In this post, we look forward to the future dates for:
- The Payment Card Industry Data Security Standard (PCI DSS) v3.2 Requirement (8.3.1) on Multi-Factor Authentication
- PCI DSS v3.2 Requirements (2.2.3, 2.3, 4.1) on Upgrading Secure Sockets Layer (SSL) Encryption
- The European Commission Payment Services Directive 2 (PSD2)
- The European Union (EU) General Data Protection Regulation (GDPR)
PCI DSS Requirement for Multi-Factor Authentication
|January 31, 2018||PCI-DSS v3.2 |
Requirement on Multi-Factor Authentication (8.3.1)
|Affects global organizations|
The PCI Standards Security Council (PCI SSC) has created compliance regulations for 10 years. Their standards have emerged as the top reference most payments organizations follow. Several upcoming dates in the latest PCI DSS Version 3.2 are important.
According to Requirement 8.3.1, organizations must incorporate multi-factor authentication for all non-console access for personnel with administrative privileges. Passwords are no longer enough. Multi-factor authentication includes something the administrator knows (e.g., a password) plus something they possess (e.g., a token, biometrics, etc.).
Pending projects for single sign-on (SSO) should be reviewed to take into consideration this new requirement. For payments ecosystems that run on HPE NonStop servers, integration into Safeguard and similar access control measures will need to be completed by this date.
PCI DSS Requirements on Upgrading SSL Encryption
|June 30, 2018||PCI-DSS v3.2 |
Requirements on upgrading SSL Encryption (2.2.3, 2.3, 4.1
|Affects global organizations|
Organizations using internet encryption known as SSL must complete upgrades to a stronger cryptographic protocol by this date. Upgrade options include Transport Layer Security (TLS), specifically TLS v1.2 and above. According to the PCI-SSC, SSL and early versions of TLS have known, exploitable vulnerabilities and should therefore not be used to safeguard data communications over networks.
Although 2018 is over 1.5 years away, this date is important to remember. The original deadline was June 30, 2016. Due to feedback on costs and readiness from merchants, PCI SSC extended the deadline two years. But the extension does not buy merchants much time because new protocols must be selected and implemented, which is a timely process.
According to the Identity Theft Resource Center, between June 30, 2016 and November 29, 2016, there have been more than 400 data breaches in the US. Had the original deadline been enforced, the organizations with weak SSL encryption would not only have suffered the data breach, but may also have faced PCI compliance penalties.
For the full report please follow this link: Identity Theft Resource Center, Data Breaches
European Commission PSD2
|April 2018||PSD2 – Payment Services Directive 2||Affects European businesses|
PSD2 is a series of enhancements over existing PSD laws aimed at improving efficiency and enhancing protection of cardholders and businesses in Europe. The enhancements include:
- Reducing liability for cardholders if non-authorized payments are made – from 150 Euros to 50 Euros
- Outlawing additional surcharges for the right to pay with a card – no more 2% fee for using a credit card to pay
- Opening the European payments market to “payment initiation service providers” -- pay online direct from a bank, without a credit card, or using a payment initiation service
The European Banking Authority (EBA) and other supporters of PSD2 have high hopes for leveling the playing field for competition and promoting innovation in payments throughout Europe. The April 2018 date represents the two-year time frame that EU member states have to introduce PSD2 into their national laws.
|May 2018||GDPR – General Data Protection Regulation||Affects global organizations|
GDPR replaces the existing Data Protection Directive and is set to be enforced in May 2018. GDPR includes new protections for EU payment cardholders, while also imposing strict penalties and fines on institutions for non-compliance. The greatest focus is on data governance.
It is now mandatory for payments processors to complete privacy impact assessments for high-risk processing activity. Also, organizations must demonstrate “privacy by design,” showing that they have pseudo-anonymized (i.e. tokenized) the data they are storing. Institutions also face new limitations on the use of customer consent. Each use of customer data by an organization must be approved separately by the customer, and customers can withdraw that consent at any time. Under GDPR, people also have the right to have their data erased.
GDPR is catching a lot of buzz in non-EU states because its rulings also apply to companies doing business within the EU or processing data pertaining to EU citizens. (If an institution handles greater than 5,000 EU citizens’ data, it must comply). More eye-catching is the penalty for non-compliance. In the event of a data breach, customer notifications are required, and the maximum penalties go up to either €20 million or 4% of total annual global revenue – whichever is greater.
Check out our Blog Post for more information regarding GDPR and PSD2, as well as the specific security measures you can put into place on your HPE NonStop systems.
We offer security workshops, data protection solutions, and professional services regarding security for HPE NonStop systems. For more information, Contact Us today.