How data breaches have driven the updated PCI standard

PCI Data Security Standard version 3.2 replaces version 3.1 to address growing threats to customer payment information

This article is part three of a three-part series on POS systems. Part one is here and part two is here.

The Payment Card Industry Security Standards Council published a new version of its data security standard, which businesses around the world use to safeguard payment data before, during and after a purchase is made.

PCI Data Security Standard version 3.2 replaces version 3.1 to address growing threats to customer payment information. Companies that accept, process or receive payments should adopt it as soon as possible to prevent, detect and respond to cyber attacks that can lead to breaches. Version 3.1 will expire on Oct. 31.

Virtual Event


Survival in these times is highly dependent on a hotel's ability to quickly adapt and pivot their business to meet the current needs of travelers and the surrounding community. Join us for Optimization Part 2 – a FREE virtual event – as we bring together top players in the industry to discuss alternative uses when occupancy is down, ways to boost F&B revenue, how to help your staff adjust to new challenges and more, in a series of panels focused on how you can regain profitability during this crisis.

“The payments industry recognizes PCI DSS as a mature standard, so the primary changes in version 3.2 are clarifications on requirements that help organizations con rm that critical data security controls remain in place throughout the year, and that they are effectively tested as part of the ongoing security monitoring process,” said PCI Security Standards Council GM Stephen Orfei. “This includes new requirements for administrators and services providers and the cardholder data environments they are responsible to protect. PCI DSS 3.2 advocates that organizations focus on people, process and policy, with technology playing an important role in reducing the overall cardholder data footprint.”

The update to the standard is part of the regular process for ensuring the PCI DSS addresses current challenges and threats. This process factors in industry feedback from the PCI Council’s 700+ global participating organizations, as well as findings from data breach reports and changes in payment acceptance.

“We’ve seen an increase in attacks that circumvent a single point of failure, allow- ing criminals to access systems undetected, and to compromise card data,” said Troy Leach, PCI Security Standards Council chief technology officer. “A significant change in PCI DSS 3.2 includes multifactor authentication as a requirement for any personnel with administrative access into environments handling card data.”

Previously, this requirement applied only to remote access from untrusted networks. “A password alone should not be enough to verify the administrator’s identity and grant access to sensitive information,” Leach said. “Additionally, service providers, specifically those that aggregate large amounts of card data, continue to be at risk. PCI DSS 3.2 includes updates to help these entities demonstrate that good security practices are active and effective.”

Suggested Articles

The agreement will extend Agilysys customers’ access to contactless global omnichannel payments.

During a conference call hosted by advocacy organization Economic Innovation Group, industry leaders emphasized the need for immediate fiscal help.

The deal would have had NHT Operating Partnership acquire all of the outstanding equity interests of Condor via a merger valued at $318 million.