By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Health Works CollectiveHealth Works CollectiveHealth Works Collective
  • Health
    • Mental Health
  • Policy and Law
    • Global Healthcare
    • Medical Ethics
  • Medical Innovations
  • News
  • Wellness
  • Tech
Search
© 2023 HealthWorks Collective. All Rights Reserved.
Reading: More New PCI DSS 3.0 Requirements: Control Access, Two-Factor Authentication and POS Security
Share
Notification Show More
Font ResizerAa
Health Works CollectiveHealth Works Collective
Font ResizerAa
Search
Follow US
  • About
  • Contact
  • Privacy
© 2023 HealthWorks Collective. All Rights Reserved.
Health Works Collective > eHealth > Medical Records > More New PCI DSS 3.0 Requirements: Control Access, Two-Factor Authentication and POS Security
Medical Records

More New PCI DSS 3.0 Requirements: Control Access, Two-Factor Authentication and POS Security

onlinetech
onlinetech
Share
7 Min Read
data security
SHARE

data securityYesterday, I blogged about the new PCI DSS 3.0 document that contains a number of clarifications, additional guidance and evolving (new) requirements. The part I’m going to focus on is the evolving requirements, as they represent the changes that ensure that the standards are up to date with emerging threats and changes in the market.

data securityYesterday, I blogged about the new PCI DSS 3.0 document that contains a number of clarifications, additional guidance and evolving (new) requirements. The part I’m going to focus on is the evolving requirements, as they represent the changes that ensure that the standards are up to date with emerging threats and changes in the market.

They also represent the greatest changes between the old and new documents, and are relevant to merchants and service providers that are already PCI DSS compliant, but may need to update according to the newly added requirements.

For a complete list of the new PCI DSS 3.0 requirements, visit our site: PCI DSS 3.0: Complete List of Newly Added Requirements.

More Read

Getting Beyond the EHR for Shared Decision Making
Monash Health Benefits from a Vendor-Neutral Archive
Infographic: EHR vs. Traditional Paper Records
Staying Competitive – Financing Medical Equipment and Technology in the Global Healthcare Market
Toughest Challenges with Implementing the Latest HIPAA Regulations

8.2.3 – Passwords/phrases must meet the following:

  • Require a minimum length of at least seven characters.
  • Contain both numeric and alphabetic characters.

Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the parameters specified above.

Why they added it: This requirement specifies that a minimum of seven characters and both numeric and alphabetic characters should be used for passwords/phrases. For cases where this min. can’t be met due to technical limitations, entities can use “equivalent strength” to evaluate their alternative. NIST SP 800-63-1 defines “entropy” as a “measure of the difficulty of guessing or determining a password or key.”

8.5.1 – Additional requirement for service providers: Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer.

Note: This requirement is not intended to apply to shared hosting providers accessing their own hosting environment, where multiple customer environments are hosted.

Note: Requirement 8.5.1 is a best practice until June 30, 2015, after which it becomes a requirement.

Why they added it: To prevent the compromise of multiple customers through the use of a single set of credentials, vendors with remote access accounts to customer environments should use a different authentication credential for each customer. Technologies, such as two-factor mechanisms, that provide a unique credential for each connection (for example, via a single-use password) could also meet the intent of this requirement.

8.6 – Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.), use of these mechanisms must be assigned as follows:

  • Authentication mechanisms must be assigned to an individual account and not shared among multiple accounts.
  • Physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access.

Why they added it: If user authentication mechanisms such as tokens, smart cards, and certificates can be used by multiple accounts, it may be impossible to identify the individual using the authentication mechanism. Having physical and/or logical controls (for example, a PIN, biometric data, or a password) to uniquely identify the user of the account will prevent unauthorized users from gaining access through use of a shared authentication mechanism.

9.3 – Control physical access for onsite personnel to the sensitive areas as follows:

  • Access must be authorized and based on individual job function.
  • Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled.

Why they added it: Controlling physical access to the CDE helps ensure that only authorized personnel with a legitimate business need are granted access. When personnel leave the organization, all physical access mechanisms should be returned or disabled promptly (as soon as possible) upon their departure, to ensure personnel cannot gain physical access to the CDE once their employment has ended.

9.9 – Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.

Note: These requirements apply to card-reading devices used in card-present transactions (that is, card swipe or dip) at the point of sale. This requirement is not intended to apply to manual key-entry components such as computer keyboards and POS keypads.

Note: Requirement 9.9 is a best practice until June 30, 2015, after which it becomes a requirement.

Why they added it: Criminals attempt to steal cardholder data by stealing and/or manipulating card-reading devices and terminals. For example, they will try to steal devices so they can learn how to break into them, and they often try to replace legitimate devices with fraudulent devices that send them payment card information every time a card is entered. Criminals will also try to add “skimming” components to the outside of devices, which are designed to capture payment card details before they even enter the device—for example, by attaching an additional card reader on top of the legitimate card reader sothat the payment card details are captured twice: once by the criminal’s component and then by the device’s legitimate component. In this way, transactions may still be completed without interruption while the criminal is “skimming” the payment card information during the process.

This requirement is recommended, but not required, for manual key-entry components such as computer keyboards and POS keypads.

Additional best practices on skimming prevention are available on the PCI SSC website.

(Data security / shutterstock)

TAGGED:data privacy
Share This Article
Facebook Copy Link Print
Share

Stay Connected

1.5kFollowersLike
4.5kFollowersFollow
2.8kFollowersPin
136kSubscribersSubscribe

Latest News

a woman walking on the hallway
6 Easy Healthcare Ways to Sit Less and Move More Every Day
Health
September 9, 2025
Clinical Expertise
Healthcare at a Crossroads: Why Leadership Matters More Than Ever
Global Healthcare
September 9, 2025
travel nurse in north carolina
Balancing Speed and Scope: Choosing the Nursing Degree That Fits Your Goals
Nursing
September 1, 2025
intimacy
How to Keep Intimacy Comfortable as You Age
Relationship and Lifestyle Senior Care
September 1, 2025

You Might also Like

Image
Medical Records

Can Innovative Software Reduce Hospital Admissions?

April 6, 2013
Artificial IntelligenceGlobal HealthcareHealth careMedical EducationMedical RecordsTechnology

How AI In Healthcare Can Improve Patient Outcomes

October 15, 2018

Linking Meaningful Use and HIT Sector Consolidation

October 16, 2012
proxy data access best practices
eHealthMedical RecordsPolicy & Law

Best Practices for Proxy Data Access

April 19, 2014
Subscribe
Subscribe to our newsletter to get our newest articles instantly!
Follow US
© 2008-2025 HealthWorks Collective. All Rights Reserved.
  • About
  • Contact
  • Privacy
Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?