PCI DSS Version 3.1 will expire on 31 October 2016. All new requirements under version 3.2 are best practices until 1 February, 2018 to allow organizations an opportunity to prepare to implement these changes.
PCI DSS Supplemental Designated Entities Validation (DESV) criteria has been added as an appendix to the standard, as well as a few existing PCI DSS requirements (3, 10, 11, 12) have been expanded to include DESV (Designated Entities Supplemental Validation) controls for service providers specifically.
It is important for organizations to ensure security controls are in place following a change in their cardholder data environment (new requirement 6.4.6). This helps to ensure that device inventories and configuration standards are kept up to date, and security controls are applied where needed
New requirements 10.8 and 10.8.1 outline that service providers need to detect and report on failures of critical security control systems.
New requirement 18.104.22.168 indicates that service providers need to perform penetration testing on segmentation controls every six months.
New requirement 12.4.1 is for executive management of service providers to establish responsibilities and a PCI DSS compliance program
Multi-factor authentication is already a requirement in the PCI DSS for remote access. The significant change in PCI DSS 3.2 adds multi-factor authentication as a requirement for any personnel with non-console administrative access to the systems handling card data, so that a password alone is not enough to verify the user’s identity and grant access to sensitive information
Requirement 12.11 and 12.11.1 asks that service providers perform quarterly reviews to confirm that personnel are following security policies and operational procedures
Another change being introduced relates to primary account number (PAN) masking. PCI DSS requirement 3.3 has been updated to ensure that only the minimum number of digits are displayed as necessary to perform a specific business function. The requirement continues to use the example of first six, last four digits. This update also provides flexibility, such as for varying BIN (Bank Identification Number) routing and aligns with recent considerations to other industry standards.