Insights > Blog

PCI DSS Requirements Become Mandatory in 2018

Your company processes, stores, or transmits payment card data passed the PCI DSS compliance validation process and met all requirements successfully. What a success! Your business is now certified, and you can rest, right?


Cybercriminals do not rest, ever. And you should not adopt this mindset when ensuring the security of your customers’ payment card data.

Digital threats, attack techniques, and attempted fraud evolve continuously and rapidly. Thinking about it, the PCI DSS security standard today, in its version 3.2 released in 2016, raises some best practices for mandatory requirements in 2018 that must be met to ensure your company’s compliance. In this blog, you will find which controls will become mandatory for the merchant and/or service provider categories in 2018.

Control 3.5.1 – Documentation of the encryption architecture used

Applicable to: Service Provider

This control determines the details of algorithms, protocols, and keys used to protect card data, including key strength and expiration date. The documentation should include the usage description for each of the keys and an inventory of any hardware security module (HSMs) or Secure cryptographic devices (SCDs) used for the management of cryptographic keys.

Control 6.4.6 – Application of all requirements for new or modified systems and networks

Applicable to: Merchant / Service Provider

Upon completion of a significant modification process in your systems and networks, all PCI DSS requirements must be implemented. The application of the controls should also occur for new systems and networks, in addition to request updating of the documentation, if applicable.

Control 8.3.1-Multiple authentication factor for CDEs

Applicable to: Merchant / Service Provider

Version 3.1 called for two-factor authentication, and do not worry, the change in naming happened just to make it clear that there are more authentications based on more than two factors. The important thing here to consider is that all non-console accesses for cardholder data environments (CDE) performed by users with administrative access should rely on multiple authentication factors.

Control 10.8 – Periodic detection and reporting of system failures

Applicable to: Service Provider

This control determines the application processes for fault detection and creation of periodic reports for critical security control systems, including but not limited to, firewalls, IDS/IPS, FIM, anti-virus, physical access controls, logical access controls, audit logging mechanisms, and segmentation controls (if used).

Control 10.8.1 – Response to security incidents

Applicable to: Service Provider

Creation of an effective plan for immediate response to failures of any critical safety controls including restoration of safety functions, identification, and documentation of the duration of the failure, its causes (including the root-cause) and remedial actions taken.

This control also requires documentation of any added security breach that occurred because of the original incident, in addition to the risk management implementation to determine any necessary actions arising from the security breach and control that prevent recurrence.

Control – Tests of constant intrusions

Applicable to: Service Provider

If segmentation of environments is used, according to the PCI DSS scope, intrusion tests must be carried out at least every six months. The tests should be performed whenever there is any change in the controls or methods of segmentation.

Control 12.4.1 – Determination of responsibilities

Applicable to: Service Provider

The company’s executive management should establish clear responsibilities in its teams to ensure the protection of card data and a PCI DSS compliance program that includes determination of those responsible for maintaining compliance, setting a letter for the program, and broad communication to the executive management.

Control 12.11 – Reviewing security policies

Applicable to: Service Provider

Security policies should be reviewed at least every three months to ensure their effectiveness and if users of the environment are following rules and procedures determined by it. This process should include daily review of logs, firewall rules, application of default settings for new systems, response to security incidents, and change management processes.

Control 12.11.1 – Quarterly review process documentation

Applicable to: Service Provider

The quarterly review processes indicated in the previous control should be adequately documented and include the results of the review as well as the analysis of each professional holding designated responsibilities for the PCI DSS compliance program.

As we have seen here, the evolution of PCI DSS security standard requirements is a result of an effort to maintain environments that handle secure payment card data against the latest digital threats and risks. Compliance with all the requirements described in the standard is mandatory and depends on the validation and certification of compliance.

Having expert PCI DSS consulting services can greatly assist your company in defining the scope of compliance for your business type, avoiding unnecessary investments or attention to requirements that, as we have seen, may not apply according to the profile the company.

Oldair Barbosa and Karen Watanabe are experts in the PCI DSS standard of CIPHER’s Governance, Risk and Compliance team.

Guide to PCI DSS Compliance Whitepaper

Did you enjoy this blog article? Comment below with your feedback.


Submit a Comment

Your email address will not be published. Required fields are marked *


Information Security Maturity Self-Assessment Survey

Learn More

•  Whitepapers
•  E-books
•  Checklists
•  Self-Assessments
•  Webcasts
•  Infographics