See what changes your payment application vendor should make.
|By: David Page|
Applications vendors are encouraged to review and incorporate these changes into their payment applications and implementation guides as soon as possible. Version 3.2 is effective June 1, 2016 and PA-DSS version 3.1 retires on August 31, 2016.
Most of the changes in PA DSS 3.2 will reflect the changes in PCI DSS 3.2.
PA-DSS version 3.2 includes a set of changes that all payment application vendors will be required to make.
Here is a list of the biggest changes to PA-DSS 3.2.
Multi-factor authentication is requiredSimilar to the PCI DSS, PA-DSS 3.2 now requires multi-factor authentication for all non-console access within and outside the network. Basically, if you use remote access, inside and outside your business’s network, you’re now required to use multi-factor authentication to access it. It’s now also clarified as multi-factor authentication instead of just two-factor authentication.
SEE ALSO: 2 Things You Should Know about PCI 3.2 Multi-Factor Authentication Updates
Testing procedures have also been updated to include the identification of all roles and default accounts in the payment application.
One final change to the guide is a new requirement has been added to include instructions to securely install patches and updates.
Other changesA couple of additional changes include:
- Training for developers must be up to date and occur at least annually
- A legitimate business need is required for full PAN display
If you don’t, you could be held liable should a data breach hit you or one of the businesses you work with.
Need a PA DSS audit? Talk to us!
David Page is a Qualified Security Assessor and has been working at SecurityMetrics for 2 and a half years. He has over 18 years experience in network and system engineering, design, and security.