Skip to the main content.
Contact
Contact

1 min read

What's changed in PA-DSS 3.2? Impacts to Vendors, Implementers, and Operators.

What's changed in PA-DSS 3.2? Impacts to Vendors, Implementers, and Operators.

Recently, Control Gap posted an article performing a detailed analysis of the recent changes in the DSS due to 3.2. We do this because the high-level change summaries published by the PCI Security Standards Council provide only a starting point for in-depth investigation.  Our detailed analysis provides a useful next step that can help organizations to more fully understand the impact of changes to their environment.

PCI PA-DSS is a supporting standard that aligns with PCI DSS.  It has typically moved in lock step with the DSS.  So when the DSS changes, so does the PA-DSS. This article looks at the recent changes in detail.

While the PA-DSS may be primarily of interest to vendors of payment applications, it also affects any organization that implements or operates these applications. This article will be of use not only to payment application vendors, but also to those who implement and operate payment applications.

What Is the Difference Between PCI PA-DSS v3.1 and PCI PA-DSS v3.2?

In addition to over one thousand changed words, 2 new requirements, and 1 numbering change, there were:

28 Total Discrete Change Clusters

  • 16 of these changes have an impact rating of None. These changes have a negligible impact on compliance and help to improve clarity and understanding on intent.
  • 11 of these changes have an impact rating of Low. These changes have a low impact on compliance and are a new incremental change that potentially alter compliance efforts.
  • 1 change has an impact rating of High. This new requirement has a potential high impact on compliance and are can  potentially significant involve effort to achieve or sustain compliance.pa-dss-change-clusters-269x300

5 Evolving (New or Changed) Requirements

  • 4 of these changes have an impact rating of Low (#3, 4, 5, 9, 18 in our analysis)
  • 1 of change has an impact rating of High (#18 in our analysis)

pa-dss-evolving-298x300

There are several other significant differences between PCI DSS V3.1 and PCI DSS V3.2. To see a quick overview of the rest of the changes, read our Change Analysis Brief. If you would like to know every word that changed, read our Change Analysis Document.

PCI DSS v3.2 - What You Need to Know to Stay PCI Compliant

PCI DSS v3.2 - What You Need to Know to Stay PCI Compliant

To accept credit cards in Canada, businesses need to be PCI compliant. Becoming PCI compliant can be difficult in the first place and keeping up...

Read More
The DSS, MageCart, and the DOM – Part 2 Browsers, the DOM, and 3rd Party JavaScript

6 min read

The DSS, MageCart, and the DOM – Part 2 Browsers, the DOM, and 3rd Party JavaScript

In part two of our series, we take a deeper dive into how JavaScript works and its implications to web and e-commerce security and compliance. This...

Read More
6 Ways to Deal with the Magnitude of PCI DSS

6 min read

6 Ways to Deal with the Magnitude of PCI DSS

Are you new to PCI DSS? Perhaps you need to refresh your approach? If so, this article breaks down 6 strategies that will help you eat the...

Read More