The threat landscape over the last few months has changed considerably, vulnerabilities such as POODLE severely undermined what were considered to be strong cryptographic protocols.
Though it’s been less than a year since the last version of the Payment Card Industry Data Security Standard (PCI DSS) was released, the PCI Security Standards Council have announced that they will be rolling out version 3.2 of PCI DSS between March and April of this year in order to address these vulnerabilities.
The council have stated that the new standard will largely focus on improvements that include:
- Additional multi-factor authentication for admins within a cardholder date environment (CDE),
- Incorporating some of the Designated Entities Supplemental Validation (DESV) criteria for service providers
- Clarifying criteria for the masking of primary account numbers (PAN) when displayed
- Updated migration dates for SSL/early TLS that were published in December 2015
Preparation for the updated standard
The new version will be effective as soon as it is published, with version 3.1 being phased out over a three month period to allow organisations that have PCI DSS V.3.1 assessments currently underway to complete them.
It is therefore essential that organisations stay abreast on the release of v3.2 so that they find out the details of the new and updated requirements as soon as possible, maximising the time available to them to achieve compliance with the new standard.
Sysnet notes however that, as was the case when Requirement 9.9 was introduced with v3.0, any new requirements will be considered best practices for a sunrise period, which will be based on the release date of v3.2. This sunrising of the new requirements will give organisations a further time period in which to assess the implications of and plan for the implementation of those new requirements.
As an example, for Requirement 9.9, that sunrise period was 17 months from the release of v3.0.
If you are a merchant that requires technical or PCI DSS help, please click here