New Version of PCI-DSS Released (3.2)

In case you did not see, a new version of PCI-DSS was released last week, v3.2.

Below is a link to the new standard, a differences document for moving from v3.1 to v3.2, and an interview with the council’s CTO, who provides an overview of the update and the reasoning behind some of these.

Main differences covered in the interview are:

  • Extension for SSL and early TLS migration deadlines from July 2016 to June 2018 but organisations must have a migration plan in place
  • MFA is now required for all personnel with non-console admin access, not just remote personnel
  • Services providers have 5 new requirements to implement by 1 Feb 2018
  • A formal processes to detect and response to critical failures in a prompt and repeatable manner
  • Conduct regular penetration test on segmentation controls.  Every 6 months for service providers
  • Quarterly reviews of controls evidence personnel are adhering to processes and controls
  • Executive management accountability and responsibility for protecting card data
  • Documentation and evidence of types of cryptography in use within the CDE environment


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s