PCI DSS version 3.2 changes

 

The Payment Card Industry (PCI) Data Security Standards (DSS) version 3.2 was released in  May 2016 to include the revised migration dates and address the changing threat and payment acceptance landscape. Version 3.2 may have been somewhat surprising to stakeholders as it did not follow the standard update cycle previously outlined by the PCI Security Standards Council (SSC). This is because the industry has recognized the PCI DSS as a mature standard now,  requiring only incremental revisions like 3.2.

While version 3.2 is only an incremental revision, there are some significant changes that may affect merchants and service providers alike. We have identified three key changes to bring to the attention of all organizations that are required to be in compliance with the PCI DSS.

1. Additional multifactor authentication requirements
2. Extended migration dates for SSL/early TLS
3. Additional requirements for service providers

We recommended that organizations take a proactive approach in planning for the changes  present in version 3.2. Changes like the implementation of multifactor authentication for  nonconsole administrative access could take significant resources to achieve. Organizations should consider the key dates outlined below when preparing their project management plans. Keep in mind that all new requirements are required to be implemented for any assessment  occurring on or after February 1, 2018..

• April 2016
  PCI DSS 3.2, as well as all supporting documents and SAQs, were released.
• October 2016
  PCI DSS 3.1 will retire six months after the release of PCI DSS 3.2, and all assessments or SAQs taken after that time will need to use version 3.2 (this is significant for those with year-end annual assessment cycles).
• February 2018
  All new requirements within PCI DSS 3.2 will become effective.
• June 2018
  All entities must have stopped use of SSL/early TLS as a security control.