Skip to Content

PCI DSS version 3.2 changes

July 25, 2016 Article 1 min read
The Payment Card Industry (PCI) Data Security Standards (DSS) version 3.2 was released in May 2016 to include the revised migration dates and address the changing threat and payment acceptance landscape.

Image of people meeting 

The Payment Card Industry (PCI) Data Security Standards (DSS) version 3.2 was released in  May 2016 to include the revised migration dates and address the changing threat and payment acceptance landscape. Version 3.2 may have been somewhat surprising to stakeholders as it did not follow the standard update cycle previously outlined by the PCI Security Standards Council (SSC). This is because the industry has recognized the PCI DSS as a mature standard now,  requiring only incremental revisions like 3.2.

While version 3.2 is only an incremental revision, there are some significant changes that may affect merchants and service providers alike. We have identified three key changes to bring to the attention of all organizations that are required to be in compliance with the PCI DSS.

  1. Additional multifactor authentication requirements
  2. Extended migration dates for SSL/early TLS
  3. Additional requirements for service providers
We recommended that organizations take a proactive approach in planning for the changes  present in version 3.2. Changes like the implementation of multifactor authentication for  nonconsole administrative access could take significant resources to achieve. Organizations should consider the key dates outlined below when preparing their project management plans. Keep in mind that all new requirements are required to be implemented for any assessment  occurring on or after February 1, 2018..
  • April 2016
    PCI DSS 3.2, as well as all supporting documents and SAQs, were released.
  • October 2016
    PCI DSS 3.1 will retire six months after the release of PCI DSS 3.2, and all assessments or SAQs taken after that time will need to use version 3.2 (this is significant for those with year-end annual assessment cycles).
  • February 2018
    All new requirements within PCI DSS 3.2 will become effective.
  • June 2018
    All entities must have stopped use of SSL/early TLS as a security control.

Related Thinking

Cybersecurity professional talking to colleagues about Microsoft 365.
May 23, 2023

Microsoft 365 & cybersecurity: Is your environment as secure as you think?

Article 5 min read
Business professionals learning about the FDIC OIG InTREx audit report.
May 23, 2023

After the FDIC OIG InTREx audit report: Implications and next steps for banks

Article 5 min read
Business professionals sitting at a table discussing reducing benefit plan risk.
May 2, 2023

Safe and secure: Reducing benefit plan risk and fulfilling fiduciary responsibility

Webinar 1 hour watch