PCI DSS Version 3.2.1: 3.2 Got a Makeover

PCI DSS version 3.2.1 has been released. Luckily for users, not much has changed. Actually, almost nothing has changed. This update is simply to replace 3.2 in regards to effective dates that a change-over needs to be made entirely. The SSL migration deadlines have already passed, so everyone should be using 3.2 at this time. 3.2.1 was made to get rid of any confusion in regards to the effective dates for PCI DSS 3.2.

PCI SSC Chief Technology Officer Tory Leach said, “It is critically important that organizations disable SSL/early TLS and upgrade to a secure alternative to safeguard their payment data.”

Small Changes

There were minor changes made. These were mostly in regard to the existing requirements, and how they will be affected once the deadlines have passed. Basically, they are allowing organizations the opportunity to figure out if their implementations are going to meet the requirements of the final deadline on June 30th. Some of these changes include:

  • Updates to Appendix A2 to show that only POS POI terminals and service providers may continue using SSL/early TLS as a security control following June 30th.
  • The removal of multiple notes referencing February 1st, as this date has passed and everyone should be compliant past that point already.
  • The removal of multi-factor authentication (MFA) from the compensating control example in Appendix B.
  • Also, the updates in 3.2.1 DO NOT affect the Payment Application Data Security Standard. These will remain at version 3.2 and will stay that way until the date of June 30th.

Nothing new, really.

Just as the previous version of PCI DSS, version 3.2.1. must be followed by an organization that is storing, processing, or transmitting data of a cardholder. Everyone from the largest financial institutions in the world to little shops downtown must oblige to these rules. The version 3.2.1’s rules are already required to be followed, as everything in it was made mandatory on February 1st 2018. The only parts not yet required is the exception of the previous requirements in regards to TSL security protocols from SSL. These changes are to be finalized by organizations by June 30th 2018.

Looking for a better way?

With built-in SOC2 controls, policy management, visual reports and structured workflows, StandardFusion turns SOC2 compliance into a walk in the park. Our customers have never felt better prepared for their audits than they do now!

In general, the changes in version 3.2.1 focus on addressing the speed malicious parties are able to exploit weaknesses in the payment card process as a whole. Threats to cardholders are growing at a quick pace as technology of hackers continues to improve. The newest version of PCI DSS was created to combat this.

Version 3.2.1 of the PCI included new subsections, as well as changes to already existing subsections. Below will go over these briefly.

  • PCI Requirement 6.4.6 – A new subsection requirement, this rule makes it mandatory for all merchants to prove proper security is being utilized when there is a change in the cardholder data environment. This has been implemented to improve safety, and to ensure merchants are taking an active role in preventing hacks.
  • PCI Requirement 8.3.1 – This change was originally in PCI version 3.2. Basically, this requirement states that multi-factor authentication, or MFA, is required for ALL non-console access. This is a change from the earlier, less strict rule of only needing MFA for remote console access in cardholder data. In version 3.2.1, 8.3 has expanded into 8.3, 8.3.1, and 8.3.2
  • PCI Requirement 12.11 – This new requirement simply states that service providers must perform quarterly reviews. These reviews must be used to ensure personnel is following all of the operational procedures and the security policies. This is another requirement put in place to keep cardholder’s safety the top priority.
  • PCI Requirement 10.8 – This new requirement states that providers MUST report all failures of their security control systems. These failures can include firewall, file integrity management, logical and physical access controls, antivirus, and anything else that could jeopardize the cardholder’s safety and security. A branch off of 10.8, 10.8.1 states that these failures MUST be reported in a timely manner, it and requires that steps are taken to fix the failures.

PCI DSS 3.2.1 Summary

In general, almost all 3.2.1 should be being followed already. Most of 3.2.1 is just rewording of already mandated rules, just worded differently and made clearer. PCI DSS has been in place for over 10 years, and with that being said all organizations should already be compliant or working toward compliance. If they are not doing so, they should be making it their number one priority to adhere to this new PCI DSS version.