PCI 3.2 is here and many merchants are wondering how the new requirements will impact their technology operations. The good news is that the PCI DSS has given organizations plenty of time to prepare for the changes. In an effort to bypass all of the technical noise, we’ve narrowed the new PCI 3.2. changes down to four key elements that will directly affect business owners:
- More penetration testing and other additional requirements for service providers. PCI 3.2 will incorporate some of the Designated Entities Supplemental Validation (DESV) criteria for service providers. These additional requirements will include: penetration tests at least twice a year (with PCI 3.1, pen tests were only required once a year), demonstrating a detection mechanism is in place to respond to the failure of critical security controls, and quarterly reviews to ensure their personnel are following security procedures and policies.
- Multi-factor authentication for both remote and local access. The two-factor authentication requirement for remote access programs has been included in the PCI DSS requirements for quite some time now, but with PCI 3.2, business owners must incorporate multi-factor authentication for local access as well. The need for additional multi-factor authentication is the result of an uptick in data breaches due to weak or stolen passwords. The deadline for the new multi-factor authentication requirement is February 1, 2018.
- Transition from SSL/early TLS to a more secure version of TLS. As more vulnerabilities have surfaced in SSL and early TLS, the PCI Council has replaced SSL with a new, more secure version of TLS (v1.1 or higher) within the PCI DSS as an encryption method. Because so many businesses depend on SSL, the PCI Council is giving organizations until July 1, 2018 to make the change.
- Retirement of PCI 3.1. This is an obvious one, but the retirement of PCI 3.1 mainly relates to assessments and SAQs. All assessments and SAQs completed after October 31, 2016 will need to use version 3.2.
For more details on the changes associated with PCI 3.2, the PCI Council has provided a resource guide that addresses common questions. You can also review the official PCI 3.2 Summary of Changes.
Information courtesy of Steve Zurier, Dark Reading