The Payment Card Industry Security Standards Council (PCI SSC) published a minor revision to version 3.2 of its Data Security Standard (PCI DSS).
On 17 May, PCI SSC published PCI DSS version 3.2.1. The purpose of the update was to clarify organizations’ use of the Standard and when they would need to upgrade their use of common cryptographic protocols. PCI SSC Chief Technology Officer Troy Leach expanded on the motive for the Standard’s revision in a press release:
This update is designed to eliminate any confusion around effective dates for PCI DSS requirements introduced in v3.2, as well as the migration dates for SSL/early TLS. It is critically important that organizations disable SSL/early TLS and upgrade to a secure alternative to safeguard their payment data.
In version 3.2.1, PCI SSC specifically removed notes referring to 1 February 2018 as an application deadline. It also updated the Standard’s requirements and Appendix A2 to limit the use of Secure Sockets Layer (SSL)/early-Transport Layer Security (TLS) to only point-of-sale point-of-interaction (POS POI) terminals and their service provider connection points after 30 June 2018.
Another important change involved the removal of multi-factor authentication (MFA) as a compensating control example in Appendix B of the standard. PCI SSC made this update to reflect the fact that all non-console administrative access now requires MFA, with one-time passwords serving as an effective alternate control in these scenarios.
The Security Standards Council enacted a few additional updates. It included a link to its Document Library so that organizations can learn more about the changes.
Without any requirements included in version 3.2.1, organizations can continue to use PCI DSS version 3.2 through 31 December 2018. If they decide to do so, they should familiarize with some of the key challenges of achieving compliance with this version and how they can overcome them.