Last Updated: 2016-04-29 14:03:29 UTC
by Mark Hofman (Version: 1)
A new version of the standard was released today, version 3.2. There are a number of changes that will affect those that need to comply with the standard, especially for service providers. For service providers struggling to move customers away from SSL and weak TLS there is some good news. The deadline for this requirement has been moved to June 30 2018. Service providers will however be required to have a secure environment (i.e. accepting TLS v1.2 or v1.1) by June 30 2016 (yes two months). This shouldn't be to onerous as most service providers will already have this in place.
There are a few new requirements in the standard. The majority of these only apply to service providers and relate to ensuring that processes are followed throughout the year rather than a once a year effort. They are best practice until 1 February 2018, after which they must be in place. A number of these are also quarterly requirements.
- 3.5.1 – Maintain a documented description of the cryptographic architecture.
- 220.127.116.11 – If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.
- 12.4 – Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program.
- 12.11 – Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures.
The other big change affecting everyone relates to multi factor authentication for administration of the Cardholder Data Environment (CDE). Currently this requirement is only needed when remote access is used to access the CDE. This requirement has now been extended to include ALL administrative access of the CDE. This means that you will need to roll out some form of multi factor authentication for all administrative access to the environment.
Other changes in the standard are generally clarifications. The new release of the standard is effective immediately, version 3.1 will be retired October 31, 2016. Your next assessment will likely be against the new version of the standard.
The council’s “Summary of changes document from PCI DSS version 3.1 to 3.2” (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2_Summary_of_Changes.pdf) outlines all of the changes and is well worth a read.
Mark H - Shearwater