In case you did not see, a new version of PCI-DSS was released last week, v3.2.
Below is a link to the new standard, a differences document for moving from v3.1 to v3.2, and an interview with the council’s CTO, who provides an overview of the update and the reasoning behind some of these.
Main differences covered in the interview are:
- Extension for SSL and early TLS migration deadlines from July 2016 to June 2018 but organisations must have a migration plan in place
- MFA is now required for all personnel with non-console admin access, not just remote personnel
- Services providers have 5 new requirements to implement by 1 Feb 2018
- A formal processes to detect and response to critical failures in a prompt and repeatable manner
- Conduct regular penetration test on segmentation controls. Every 6 months for service providers
- Quarterly reviews of controls evidence personnel are adhering to processes and controls
- Executive management accountability and responsibility for protecting card data
- Documentation and evidence of types of cryptography in use within the CDE environment
- PCI-DSS v3.2- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf
- Changes from v3.1- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2_Summary_of_Changes.pdf
- InfoRisk podcast interview with Troy Leach, CTO PCI Security Standards Council (10 minutes long).- http://www.inforisktoday.co.uk/interviews/pci-dss-update-5-new-requirements-for-service-providers-i-3160