What to Expect from PCI DSS 3.2

Earlier this year, we wrote about how to prepare for PCI DSS 3.2. Now, organizations should begin to implement changes with the PCI DSS 3.2 official release.

These standards should be adopted as soon as is possible, as version 3.1 will expire on October 31, 2016 with all new requirements being implemented February 1, 2018 to allow organizations to prepare. Until that point, any changes are simply considered best practices.

PCI DSS 3.2 Changes

Specific changes include:

  • Additional multi-factor authentication for administrators within a Cardholder Data Environment (CDE)
  • Incorporating some of the Designated Entities Supplemental Validation (DESV) criteria for service providers
  • Clarifying masking criteria for primary account numbers (PAN) when displayed
  • Including the updated migration dates for SSL/early TLS that were published in December 2015.

In addition, the PCI DSS Supplemental Designated Entities Validation criteria has officially been added as an appendix to the standard, with some PCI DSS requirements (3, 10, 11, 12) including DESV controls for service providers.

If you are unsure about how the changes may affect your specific environment, the professionals at A-LIGN are ready to help your organization determine how PCI DSS 3.2 will impact you, as well as develop an appropriate course of action. For current clients, A-LIGN’s PCI DSS experts will be reaching out to determine how PCI DSS 3.2 affects them.

If you have questions regarding PCI DSS or how version 3.2 may impact your specific environment, please contact A-LIGN. Our PCI DSS specialists are available to answer your questions at [email protected] or 1-888-702-5446.