Skip to Content

PCI DSS version 3.2 changes

July 25, 2016 Article 1 min read
The Payment Card Industry (PCI) Data Security Standards (DSS) version 3.2 was released in May 2016 to include the revised migration dates and address the changing threat and payment acceptance landscape.

Image of people meeting 

The Payment Card Industry (PCI) Data Security Standards (DSS) version 3.2 was released in  May 2016 to include the revised migration dates and address the changing threat and payment acceptance landscape. Version 3.2 may have been somewhat surprising to stakeholders as it did not follow the standard update cycle previously outlined by the PCI Security Standards Council (SSC). This is because the industry has recognized the PCI DSS as a mature standard now,  requiring only incremental revisions like 3.2.

While version 3.2 is only an incremental revision, there are some significant changes that may affect merchants and service providers alike. We have identified three key changes to bring to the attention of all organizations that are required to be in compliance with the PCI DSS.

  1. Additional multifactor authentication requirements
  2. Extended migration dates for SSL/early TLS
  3. Additional requirements for service providers
We recommended that organizations take a proactive approach in planning for the changes  present in version 3.2. Changes like the implementation of multifactor authentication for  nonconsole administrative access could take significant resources to achieve. Organizations should consider the key dates outlined below when preparing their project management plans. Keep in mind that all new requirements are required to be implemented for any assessment  occurring on or after February 1, 2018..
  • April 2016
    PCI DSS 3.2, as well as all supporting documents and SAQs, were released.
  • October 2016
    PCI DSS 3.1 will retire six months after the release of PCI DSS 3.2, and all assessments or SAQs taken after that time will need to use version 3.2 (this is significant for those with year-end annual assessment cycles).
  • February 2018
    All new requirements within PCI DSS 3.2 will become effective.
  • June 2018
    All entities must have stopped use of SSL/early TLS as a security control.

Related Thinking

Three business professionals in a conference room assessing their Microsoft 365 cybersecurity protection
November 15, 2023

Assess your Microsoft 365 cybersecurity protection

Assessment 1 min read
Business professional teaching CPE-eligible financial services webinar.
November 2, 2023

2023 Financial Services Symposium

Webinar 6 hour watch
Manufacturing professional learning about the importance of cybersecurity.
October 24, 2023

Manufacturing cybersecurity and the rise of ransomware

Article 5 min read