PCI DSS v3.2 News

The PCI Council will publish the new version 3.2 of PCI DSS in April 2016.

The sunset date for the current version 3.1 will be 6 months after release of v3.2, which follows that assessment are conducted against version 3.2 starting latest from October 2016.

The new requirements will be effective 1st of February 2018. The new requirements introduced in version 3.2 will be considered best practices until 31 January 2018.

The announced new version 3.2 of the PCI DSS will cover the following topics:

  • The new deadlines for SSL/TLS migration
  • A new appendix in v3.2 will address SSL/TLS
  • A new appendix in v3.2 will address DESV requirements (Designated Entities Supplemental Validation)
  • Adapted requirements for displaying of a PAN (more than first six/last four) if required by business needs
  • Enhancements in change management processes to include confirmation that affected PCI DSS controls are in place
  • Introduction of the term “multi-factor” authentication instead of “two-factor”
  • Multi-factor authentication is required for personnel with administrative access into the CDE, not only for remote access

Additional requirements for service provider only:

  • Documentation requirements of cryptographic architecture
  • Penetration testing on segmentation controls every six months
  • Need of quarterly confirmations that personnel following security policies and procedures
  • Establish a formal PCI DSS compliance program
  • Detection and reporting of failures of critical security control systems

PA-DSS v3.2 News

The PCI Council will publish the new version 3.2 of PA-DSS in May 2016.

The new version is required to align with PCI DSS v3.2 changes. A transition time will be provided in the new version to allow completion of v3.1 validations.