Freed Maxick Service Delivery Update

We have implemented a phased approach for returning to our offices that allows us to modify our approach to service delivery as situations change without any service disruptions. In the meantime and in the interest of public health and the safety of our community, our teams will continue working remotely whenever possible to provide the same high-quality service you have come to expect. Utilizing state-of-the-art technology, we are committed to meeting all of your assurance, tax, and advisory needs to help you navigate a business environment filled with challenges and opportunities. To discuss a specific need that can’t be handled remotely, please contact your Freed Maxick representative directly.

New 2018 PCI DSS 3.2 Compliance Requirements Effective February 2018

By Zachary Ostroff on March, 5 2018
Back to main Blog
Zachary Ostroff


Nine “Best Practices” Out, Nine New PCI DSS Mandates In

In December of 2004 Visa, MasterCard, American Express, Discover, and JCB Co. created the Payment Card Industry (PCI) Data Security Standard (DSS) to limit credit card fraud and establish a robust framework for cardholder data controls. The PCI Data Security Standard is amalgamation of the standards, requirements and guidance of each of these company’s established security programs. 

Application of PCI DSS Standards

PCI DSS standards apply to all organizations that are involved with the processing, storage, or transmission of cardholder data (CHD) as well as sensitive authentication data (SAD). The Standards are divided into six major control objectives, and each control objective has twelve unique requirements representing baselines for compliance.  

When Version 3.2 was released in April of 2016, many sub-requirements contained the following language, “This requirement is best practice until January 31st, 2018, after which is becomes a requirement.”  

Now that these best practice requirements are compulsory, it is essential to understand how they impact your organization and the steps you must take to meet full compliance. Non-compliance may lead to the loss of the ability to process credit cards and loss of an organization’s PCI DSS compliant status. 

PCI DSS Best Practices That Became Requirements in February 2018

A total of 9 “best practices” –All 9 are mandatory for service providers, including 2 for merchants – became requirements as of February 1, 2018.

PCI DSS Compliance

If your company is seeking to become PCI compliant, or will be conducting an annual PCI DSS examination, you’ll want to make sure that compliance with these new requirements are included in your compliance program or review.

These include:

  • Documenting cryptographic architecture
  • Updating documentation of significant changes
  • Incorporate multi-factor authentication for all non-console access
  • A process for the timely detection and reporting of failures of critical security control systems
  • Processes for responding to failures in security controls
  • Confirming PCI DSS scope by performing penetration testing on segmentation controls
  • Establishing responsibility
  • Perform quarterly reviews of personnel
  • Maintaining documentation of quarterly review process
  • Connect with the Freed Maxick PCI DSS Compliance Experts

Our team does a significant amount of PCI data compliance work across the country, and we would welcome an opportunity to share our insights and guidance with a complimentary review of your compliance situation. We also encourage you to read our through leadership on PCI DSS or download any of our compliance related thought leadership materials.

If you would like more information on our compliance services, contact with one of our Qualified Security Assessors at PCIServices@freedmaxick.com or connect with us here.

Stay up to date