Embed Size (px)
Citation preview
PCI DSS VERSION 3.2 CHANGES
PCI DSS version 3.2 changesThe Payment Card Industry (PCI) Data Security Standards (DSS) version 3.2 was released in May 2016 to include the revised migration dates and address the changing threat and payment acceptance landscape. Version 3.2 may have been somewhat surprising to stakeholders as it did not follow the standard update cycle previously outlined by the PCI Security Standards Council (SSC). This is because the industry has recognized the PCI DSS as a mature standard now, requiring only incremental revisions like 3.2.
While version 3.2 is only an incremental revision, there are some significant changes that may affect merchants and service providers alike. We have identified three key changes to bring to the attention of all organizations that are required to be in compliance with the PCI DSS.
1 Additional multifactor authentication requirements. Perhaps the most substantial addition will be the requirement to utilize multifactor authentication when accessing an organization’s Cardholder Data Environment (CDE). Multifactor authentication includes a user identification and two of the three authentication types, which include something you know (like a password), something you have (like a security token), and something you are (like a finger print). For most organizations, this requirement will call for additional technology investments and/or changes to network configurations and processes.
2 Extended migration dates for SSL/early TLS. Due to serious vulnerabilities, the PCI SSC removed SSL and TLS 1.0 as an example of strong encryption from the PCI DSS. The migration completion date was recently extended to June 30, 2018, allowing organizations additional time to move away from using SSL and TLS 1.0 in current implementations. The PCI DSS 3.2 provides a new appendix (appendix A2) to help companies properly transition to a strong cryptography protocol as soon as possible. It is important to note that merchants currently using POS POI terminals and utilizing SSL or early TLS may be allowed to extend use past the June 30, 2018 deadline if they can verify those devices are not susceptible to any known exploit. It is also important to note that merchants must provide secure service offerings by June 30, 2016, which is the original migration date.
3 Additional requirements for service providers. A majority of new requirements in version 3.2 were targeted specifically at service providers. These requirements include: service providers must demonstrate that they have a detection mechanism in place to respond to a failure with critical security controls, they must conduct penetration tests on network segmentation controls at least twice a year, run quarterly checks to ensure all personnel are following security policies and procedures, and top executives at service providers must demonstrate an understanding of PCI DSS compliance. For merchants, it is important to understand how changing requirements for their service providers may impact service provider oversight responsibilities.
The PCI SSC has provided a summary of changes outlining the new and updated requirements (from version 3.1 to 3.2), as well as clarifications to ensure the desired intent of requirements is
clear. The summary of changes contains information for all parties concerned with the PCI DSS. In addition to the key changes highlighted above, we have provided the following summary of changes and clarifications that should be on the minds of assessed entities. The applicability of these changes and clarifications for merchants and service providers has been indicated as well.
SECTION OR REQUIREMENT
Scope
3.3
3.5.1
6.4.6
8
8.3
9.1.1
10.8
11.3.4.1
12.4
12.11
Appendix A2
Appendix A3
TYPE
Clarification
Updated
requirement
New requirement
New requirement
Clarification
Updated
requirement
Clarification
New requirement
New requirement
New requirement
New requirement
New requirement
New requirement
CHANGE
Clarified that backup/recovery sites need to be considered when
confirming PCI DSS scope.
Updated to reflect the need for a legitimate business to display
more than the first six/last four digits of the PAN.
Requires service providers to maintain a documented description
of encryption architecture.
Requires change control procedures to include verification
that any PCI requirements impacted by the change have not
been compromised.
Clarified that authentication requirements do not apply to
accounts used by consumers (e.g., cardholders).
Expanded requirement 8.3 into subrequirements to require
multifactor authentication for all personnel with nonconsole ad-
ministrative access and all personnel with remote access to the CDE.
Clarified that either video cameras OR access control mecha-
nisms (or both) can be used to monitor access to sensitive areas.
Requires service providers to implement a process to detect and
report failures of critical security control systems.
Requires service providers to perform penetration testing on
segmentation controls every six months.
Requires service providers’ executive management to establish
protocol for the protection of cardholder data and develop a
PCI compliance program.
Requires service providers to perform reviews at least quarterly
to confirm that personnel are following security policies and
operational procedures.
Adds additional requirements for entities still using SSL/early TLS.
Incorporates the designated entities supplemental validation
(DESV) criteria for service providers into the PCI DSS.
APPLICABILITY Service Merchants providers
p p
p p
p
p p
p
p p
p p
p p
p p
p
p
p
p
We recommended that organizations take a proactive approach in planning for the changes present in version 3.2. Changes like the implementation of multifactor authentication for nonconsole administrative access could take significant resources to achieve. Organizations should consider the key dates outlined below when preparing their project management plans. Keep in mind that all new requirements are required to be implemented for any assessment occurring on or after February 1, 2018.
April 2016 PCI DSS 3.2, as well as all supporting documents and SAQs, were released.
October 2016 PCI DSS 3.1 will retire six months after the release of PCI DSS 3.2, and all assessments or SAQs taken after that time will need to use version 3.2 (this is significant for those with year-end annual assessment cycles).
February 2018 All new requirements within PCI DSS 3.2 will become effective.
June 2018 All entities must have stopped use of SSL/early TLS as a security control.
M | J | J | A | S | O | N | D | J | F | M | A | M | J | J | A | S | O | N | D | J | F | M | A | M | J
MAY 2016PCI DSS version 3.2 published
FEBRUARY 1, 20183.2 requirements move from best practice to required
October 31, 2016PCI DSS version 3.2 replaces 3.1
June 30, 2018All entities must stop usage of SSL/early TLS
2016 2017 2018
For more information, contact:
SCOTT M. PETREE248.228.3898 [email protected]
KYLE MILLER248.223.3495 [email protected] plantemoran.com
