The Payment Card Industry (PCI) Data Security Standards (DSS) version 3.2 was released in May 2016 to include the revised migration dates and address the changing threat and payment acceptance landscape. Version 3.2 may have been somewhat surprising to stakeholders as it did not follow the standard update cycle previously outlined by the PCI Security Standards Council (SSC). This is because the industry has recognized the PCI DSS as a mature standard now, requiring only incremental revisions like 3.2.
While version 3.2 is only an incremental revision, there are some significant changes that may affect merchants and service providers alike. We have identified three key changes to bring to the attention of all organizations that are required to be in compliance with the PCI DSS.
- Additional multifactor authentication requirements
- Extended migration dates for SSL/early TLS
- Additional requirements for service providers
- April 2016
PCI DSS 3.2, as well as all supporting documents and SAQs, were released.
- October 2016
PCI DSS 3.1 will retire six months after the release of PCI DSS 3.2, and all assessments or SAQs taken after that time will need to use version 3.2 (this is significant for those with year-end annual assessment cycles).
- February 2018
All new requirements within PCI DSS 3.2 will become effective.
- June 2018
All entities must have stopped use of SSL/early TLS as a security control.