The v3.2.1 revision of the PCI DSS included only minor updates and clarifications. The PCI SSC also revised the SAQs to reflect the PCI DSS V3.2.1 while also adding one additional requirement (6.2) to the SAQ A. We discussed the changes incorporated into the v3.2.1 PCI DSS in our July article (https://sysnetgs.com/2018/07/quick-guide-changes-in-pci-dss-v3-2-1/).
The PCI SSC allowed a six-month transition period from publication of v3.2.1 to allow organisations in the middle of their compliance program or assessment to complete their activities against v3.2 (both ROCs and SAQs). With the end of 2018 fast approaching, so also is the end of that transition period:
- Up until 31st December 2018, businesses may validate their PCI DSS compliance to v3.2 or v3.2.1.
- PCI DSS v3.2 and the associated v3.2 revision 1.1 SAQs will be retired from 1st January 2019
- From 1st January 2019, businesses may only validate compliance to PCI DSS v3.2.1
We recommend that you check all received ROCs to confirm that validation has been complete to v3.2.1 and that the assessing QSA has used the correct version of the ROC Reporting Template (https://www.pcisecuritystandards.org/documents/PCI-DSS-v3_2_1-ROC-Reporting-Template.pdf).
Check also that submitted SAQs are the June 2018 v3.2.1 versions.
The version of the associated Attestation of Compliance (AOC) must match the version of the submitted ROC or SAQ (v3.2.1).