New PCI DSS Standard 3.2 Released

Payment Card Industry Data Security Standard (PCI DSS) -   The new PCI DSS standard 3.2 is released.  As we're all aware, life in the modern age of Information Technology(IT) PCI DSS is critical to business and for the integrity of individuals alike.  Follow the link to read the exact details.

Rate this article: 
Average: 1 (4 votes)
Article category: 

There are 2 Comments

Wrt major changes, Multifactor Authentication (MFA) requirements are expanded in version 3.2, it may change the criteria one adopts within an organization - the use of MFA, eg. Internet /Critical function apps. 

Major points for PCI DSS v3.2:-
·         PCI DSS Version 3.1 will expire on 31 October 2016.  All new requirements under version 3.2 are best practices until 1 February, 2018 to allow organizations an opportunity to prepare to implement these changes.
·         PCI DSS Supplemental Designated Entities Validation (DESV) criteria has been added as an appendix to the standard, as well as a few existing PCI DSS requirements (3, 10, 11, 12) have been expanded to include DESV (Designated Entities Supplemental Validation) controls for service providers specifically. 
·         It is important for organizations to ensure security controls are in place following a change in their cardholder data environment (new requirement 6.4.6). This helps to ensure that device inventories and configuration standards are kept up to date, and security controls are applied where needed
·         New requirements 10.8 and 10.8.1 outline that service providers need to detect and report on failures of critical security control systems. New requirement indicates that service providers need to perform penetration testing on segmentation controls every six months. New requirement 12.4.1 is for executive management of service providers to establish responsibilities and a PCI DSS compliance program
·         Multi-factor authentication is already a requirement in the PCI DSS for remote access. The significant change in PCI DSS 3.2 adds multi-factor authentication as a requirement for any personnel with non-console administrative access to the systems handling card data, so that a password alone is not enough to verify the user’s identity and grant access to sensitive information
·         Requirement 12.11 and 12.11.1 asks that service providers perform quarterly reviews to confirm that personnel are following security policies and operational procedures
·         Another change being introduced relates to primary account number (PAN) masking. PCI DSS requirement 3.3 has been updated to ensure that only the minimum number of digits are displayed as necessary to perform a specific business function. The requirement continues to use the example of first six, last four digits.  This update also provides flexibility, such as for varying BIN (Bank Identification Number) routing and aligns with recent considerations to other industry standards.