The PCI Security Standards Council published version 3.2 of PCI DSS this week on April 28, 2016. Organizations should implement version 3.2 as soon as possible to prevent, detect, and respond to cyberattacks that can lead to payment data breaches. Key differences between version 3.1 and version 3.2 include:
- Revised Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) sunset dates as outlined in the Bulletin on Migrating from SSL and Early TLS.
- Formal processes for detection and reporting on failures of critical security controls.
- Expansion of requirement 8.3 to include use of multi-factor authentication for administrators accessing the cardholder data environment.
- Penetration testing to validate cardholder data network segmentation and isolation is now required every six months instead of annually.
- Additional security validation steps for service providers and others, including the “Designated Entities Supplemental Validation” (DESV) criteria, which was previously a separate document.
PCI SSC released a full summary of changes from version 3.1 to version 3.2. Version 3.1 expires on October 31, 2016, however organizations have until February 1, 2018 to fully implement PCI DSS version 3.2. These key dates are outlined below:
- April 2016: PCI DSS 3.2, as well as all supporting documents and SAQs, will be released.
- October 2016: PCI DSS 3.1 will retire six months after the release of PCI DSS 3.2, and all assessments or SAQs taken after that time will need to use version 3.2. This is significant for those with year-end annual assessment cycles.
- February 2018: All new requirements within PCI DSS 3.2 will become effective. (Prior to that they will be considered “best practices.”)
PCI DSS version 3.2 can be found here: