PCI DSS 3.2 Arrival

Another version of PCI DSS was released by the PCI Security Standards Council on 28 April 2016 - PCI DSS v3.2. The SSC comments that the industry should expect more incremental revisions in the future, to address the changing threat and payment landscape.

What are the technical headlines?

Extended migration deadlines from SSL/early TLS.This update mandates the extended migration deadlines for removal of SSL/early TLS (1.0). The new deadline is 30 June 2018 (with specific deadlines for service providers), with some caveats in POS POI environments. Prior to the deadline, existing implementations of SSL/early TLS must have a formal Risk Mitigation and Migration Plan (RMMP) in place.

The bulletin published in December 2015 (refer to link below) is still technically current; only the deadlines have been superseded. TLS 1.2 is currently the preferred protocol, and early migration is strongly encouraged by the SSC.

Penetration tests every six months for service providers.Effective from 1 Feb 2018, service providers must perform penetration testing on segmentation controls to ensure the segmented environment is truly isolated, at least every six months, rather than annually.

Multi-factor authentication (MFA) scope expansion. The standard now mandates MFA for all individual non-console administrative access to systems handling card data; this is in addition to the existing requirement for MFA for all remote access to the CDE. This is also effective from 1 Feb 2018.

Full details

Details of the changes in full and guidance, including the new DESV requirements for service providers and minor changes to PAN masking, can be found in the full standard and summary of changes: