Privacy & Information Security Law Blog

Earlier this month, the Payment Card Industry Security Standards Council (“PCI SSC”) published a set of enhanced validation procedures designed to provide greater assurance that certain entities are maintaining compliance with the PCI Data Security Standard (“PCI DSS”) effectively and on a continuing basis. The payment card brands and acquirers will determine which organizations are required to undergo a compliance assessment with respect to these supplemental validation requirements, which are entitled the PCI DSS Designated Entities Supplemental Validation (“DESV”).

The DESV complements the PCI DSS and contains additional security control requirements that are organized into the following 5 control areas:

1. Implement a PCI DSS compliance program;
2. Document and validate PCI DSS scope;
3. Validate that PCI DSS is incorporated into business-as-usual activities;
4. Control and manage logical access to the cardholder data environment; and
5. Identify and respond to suspicious events.

Those entities designated by the card brands for validation against the DESV must comply with the requirements set forth in the five control areas, which include, for example, increased administrative, validation and scoping controls. Entities that may be subject to the DESV include, for example, entities that (1) store, process or transmit large volumes of cardholder data; (2) provide aggregation points for cardholder data; or (3) have suffered significant or repeated breaches of cardholder data. According to the PCI SSC, the supplemental validation process typically will be performed in conjunction with the entity’s full PCI DSS assessment.

The release of the DESV coincides with the retirement of PCI DSS Version 3.0 on June 30, 2015. Although its replacement, Version 3.1, contains mostly minor updates and clarifications, the new version notably updates the standard’s encryption requirements to clarify that Secure Sockets Layer (“SSL”) and early Transport Layer Security (“TLS”) are not considered strong cryptography, and therefore will no longer be PCI DSS-compliant encryption protocols as of June 30, 2016. The migration from SSL to newer versions of TLS comes after several vulnerabilities were found to be associated with SSL, leading the National Institute of Standards and Technology to deem SSL as an unacceptable encryption protocol for the protection of data. In addition to the retirement of Version 3.0, the controls that Version 3.0 designated initially as best practices will now become PCI DSS requirements as of July 1, 2015.