.webp?width=2169&height=526&name=Compass%20white%20blue%20transparent%202%20website%20(1).webp "Compass IT Compliance")
-1.webp?width=2169&height=620&name=Compass%20regular%20transparent%20website%20smaller%20(1)-1.webp "Compass IT Compliance")
PCI DSS 3.2 is on the horizon with a release date expected to take place by the end of April. The PCI Data Security Standards is now considered a mature standard, which means that there will be incremental updates moving forward, not wholesale changes like we have experienced in the past. According to the PCI Security Standards Council, these changes occur for three main reasons:
- Feedback from the community
- Changing Threats to cardholder data
- Latest attack trends taking place
While bullet points two and three sound similar, they are different, which we will see when we discuss the changes upcoming in PCI DSS 3.2. The PCI Security Standards Council has published on their blog a tentative timeline for releasing information about PCI DSS 3.2. Here is a snapshot of that timeline:
- April 2016 - PCI DSS 3.2 released and supporting documentation published
- October 2016 - PCI DSS 3.1 will retire, 6 months after the release of PCI DSS 3.2
- February 1, 2018 - PCI DSS 3.2 will be required to be implemented. Before this date, the PCI DSS 3.2 requirements are considered best practices
While we don't know all the specifics around the release yet, we have a pretty good idea of what changes will take place, when they will take place, and how long organizations will have to comply, which we will cover in this blog post. First, we need a quick history lesson on PCI DSS 3.1.
The big change in PCI DSS 3.1 was that SSL and early versions of TLS were no longer considered appropriate forms of cryptography according to the National Institute of Standards and Technology (NIST). The reason for this was due to some inherent weaknesses found in these protocols, exploited by browser attacks such as POODLE and BEAST. This was, and still is, a big change as this requires significant changes by organizations that would take some time to put in place. For that reason, it is no big surprise that one of the key changes in PCI DSS 3.2 has to do with the timeframe for moving away from SSL and Early TLS versions. So with that, let's hit on the 4 big changes in PCI DSS 3.2:
- Accommodations to migration dates away from SSL and Early TLS versions. The timeframe for this change is now June 30, 2018. Organizations should make the change sooner, but, it is not required until 6/30/2018
- Greater flexibility for display of Primary Account Number (PAN). This gives organizations, based on business need, the ability to display more than the last 4 or 6 digits of the PAN.
- Incorporate some Business As Usual (BAU) requirements which include updates to Pen Testing requirements and updates to confirmation of personnel following security policies and procedures on a quarterly basis
- Expand multi-factor authentication requirement to all administrative personnel with access to the cardholder data environment (CDE). This applies even within the network, not just remote access
While that is a brief overview of the key changes, these are pretty significant in nature. For that reason, Compass will be holding a webinar on April 28th at 1:00 PM to discuss these changes and what they will mean for your organization. To register, click on the button below and we look forward to seeing you on the 28th!
What: Changes to the PCI DSS - PCI DSS 3.2
When: Thursday April 28th @ 1:00 PM EST
Where: Online, register below
Share this
PCI Compliance - PCI DSS 3.2 By the Numbers
Where to Start with PCI Compliance: The PCI Compliance Checklist
No Comments Yet
Let us know what you think