Preparing for PCI DSS 3.2 in 2016

Author: Dustin Rich, CISSP, (ISC)2, CISA, ISACA, PCI QSA, PA QSA, MCSE, CCNA, CCA, and Managing Consultant at A-LIGN.

This update, which will likely take place of the previously anticipated Q4 2016 update, will include changes that aim to take into account “market feedback” while also observing “trending attacks causing compromises.”

Specific changes noted by Leach include:

  • Additional multi-factor authentication for administrators within a Cardholder Data Environment (CDE)
  • Incorporating some of the Designated Entities Supplemental Validation (DESV) criteria for service providers
  • Clarifying masking criteria for primary account numbers (PAN) when displayed
  • Including the updated migration dates for SSL/early TLS that were published in December 2015.

An important procedure change that Troy Leach mentioned is that because PCI DSS has matured as a standard, smaller incremental changes (opposed to the 3-year major revision) are likely to happen as they attempt to keep up with the ever-changing payment card industry. These intermittent changes are necessary as the EMV chip rollout moves forward in the United States, as well as new advancements in technology and new payment methods are adopted.

PA-DSS will be updated a month following the release of PCI DSS 3.2.

How does it impact you?

Organizations looking to prepare for the update should continue regular evaluation of payment acceptance practices, and be aware of potential risks inherent within their organization. In addition, it is important that third party service providers be aware of the upcoming update and understand how it may affect them. Leach mentions that “evaluating newer payment technology like tokenization and encryption” in order to improve an organization’s “security posture.”

So how will these changes affect you and your compliance efforts this year?  Well it’s important to note that whenever the council provides an update that includes a new technology, it will always allow for an adoption period before that specific requirement becomes mandated.  We’ve seen this in the past with requirements around Pen Testing, Web Application Firewalls, and Payment Terminal physical security requirements.

When the new standard is released, we recommend you communicate with your assessor to review how the changes affect your specific environment and determine an appropriate plan of action.

If you have questions regarding PCI DSS or how PCI 3.2 may impact your specific environment,

please contact A-LIGN at [email protected] or 1-888-702-5446.