New PCI DSS 3.2 version issued

3 May 2016 — The PCI Security Standards Council (PCI SSC) officially published the latest version of its data security standard on the 28th of April. The new PCI DSS version 3.2 replaces version 3.1 to address growing threats to customer payment information - the previous version 3.1 will expire on 31 October 2016.

The updated standard includes the already known change types from previous version changes:

• Clarification: clarifying the intent of the specific requirement
• Additional guidance: explanation, definition and/or instruction to increase understanding or provide further information or guidance on a particular topic
• Evolving Requirement: changes to ensure that the standards are up to date with emerging threats and changes in the market

The relevant key changes in PCI DSS 3.2 include:

• Revised Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) sunset dates as outlined in the Bulletin on Migrating from SSL and Early TLS
• Clarification that any displays of PAN greater than the first six/last four digits of the PAN requires a legitimate business need, including additional guidance on common masking scenarios
• New requirement for service providers to maintain a documented description of their cryptographic architecture
• New requirement for change control processes to include verification of PCI DSS requirements impacted by a change
• Expansion of requirement 8.3 to include use of multi-factor authentication for all personnel with non-console administrative access, and all personnel with remote access to the CDE
• New requirement for service providers to detect and report on failures of critical security control systems
• New requirement for service providers to perform penetration testing on segmentation controls at least every six months
• New requirement for service providers’ executive management to establish responsibilities for the protection of cardholder data and a PCI DSS compliance program
• New requirement for service providers to perform reviews at least quarterly, to confirm personnel are following security policies and operational procedures
• Additional security validation steps for service providers and others, including the “Designated Entities Supplemental Validation” (DESV) criteria

The new version of the Standard and several other PCI-related materials are publicly available in the Document Library of PCI Security Standards Council.