PCI Compliance - PCI DSS 3.2 By the Numbers

Geoff Yeagley
Apr 26, 2016 10:00:00 AM

PCI DSS 3.2 is coming and that means some changes for Merchants and Service Providers and the steps that they take to mitigate their risk of a breach involving credit and debit cards. While change is inevitable, change can still be difficult,especially when you are talking about all of the different parts related to PCI Compliance and Information Security. The good news is that the PCI Data Security Standard (DSS), according to the PCI Security Standards Council (SSC), is now considered a mature standard and, therefore, will only see incremental changes moving forward. But what are incremental changes? While they may not fall into the category of major shifts, incremental changes can still have a significant impact on an organization. For that reason, we are going to dig into PCI DSS 3.2 by the numbers.

Before we provide some of the numbers of changes in the PCI DSS 3.2 release that will be taking place over the coming days, we need to define some of the terms that PCI SSC uses. There are 3 main categories that these changes fall into:

  • Clarification - This is the most common change that gets made. The PCI SSC defines this as "clarifying the intent of the requirement and that the concise wording portrays the desired intent of requirements."
  • Additional Guidance - The PCI SSC defines Additional Guidance as the "explanation, definition, and/or instruction to increase understanding or provide further information or guidance on a particular topic."
  • Evolving Requirement - This is the big one that involves new requirements that merchants and service providers must pay attention to. In fact, the PCI SSC defines this as "Changes to ensure that the standards are up to date with emerging threats and changes in the market."

While the three above categories are all important and need to be taken very seriously, the Evolving Requirements are the ones that usually are the biggest changes based on feedback from the community, changing threats, and attack trends that are taking place in the market today. 

Now that we have the context, let's get to the numbers of just how many changes take place in the release of PCI DSS 3.2:

  • Clarification - 47 clarifications that include all of the requirement, with the exception of Requirement 5 (Protect all systems against malware and regularly update anti-virus software or programs)
  • Additional Guidance - 3 pieces of additional guidance, two of which are general in nature (Relationship between PA-DSS and PCI DSS and description of how this release of PCI DSS 3.2 impacts previous releases) and the third piece of additional guidance covers PCI DSS Requirement 12.8.2
  • Evolving Requirements - There are a total of 8 evolving requirements in PCI DSS 3.2. See table below for a summary of these requirements
Requirement New or Updated? Brief Explanation
Requirement 3.3 Updated PAN Display
Requirement 3.5.1 New Cryptographic architecture
Requirement 6.4.6 New Change controls processes to include PCI DSS verification
Requirement 8.3 New Multi-factor authentication
Requirement 10.8 New Detect and report failures of critical security control systems
Requirement New Penetration Testing on Segmentation Controls
Requirement 12.4 New PCI DSS Compliance Program
Requirement 12.11 and 12.11.1 New Quarterly Security Policy and Procedure Reviews


Compass IT Compliance has previously hosted several webinars on PCI DSS 3.2, to discuss these changes and provide some additional information for merchants and service providers. Click below to watch!

PCI DSS 3.2 Changes

PCI DSS 3.2 Requirements


You May Also Like

These Stories on PCI Compliance

Subscribe by Email

No Comments Yet

Let us know what you think