What's changed in PA-DSS 3.2? Impacts to Vendors, Implementers, and Operators.

Posted by David Gamey on 26 Aug 2016.

Recently, Control Gap posted an article performing a detailed analysis of the recent changes in the DSS due to 3.2. We do this because the high-level change summaries published by the PCI Security Standards Council provide only a starting point for in-depth investigation.  Our detailed analysis provides a useful next step that can help organizations to more fully understand the impact of changes to their environment.

PCI PA-DSS is a supporting standard that aligns with PCI DSS.  It has typically moved in lock step with the DSS.  So when the DSS changes, so does the PA-DSS. This article looks at the recent changes in detail.

While the PA-DSS may be primarily of interest to vendors of payment applications, it also affects any organization that implements or operates these applications. This article will be of use not only to payment application vendors, but also to those who implement and operate payment applications.

What Is the Difference Between PCI PA-DSS v3.1 and PCI PA-DSS v3.2?

In addition to over one thousand changed words, 2 new requirements, and 1 numbering change, there were:

28 Total Discrete Change Clusters

  • 16 of these changes have an impact rating of None. These changes have a negligible impact on compliance and help to improve clarity and understanding on intent.
  • 11 of these changes have an impact rating of Low. These changes have a low impact on compliance and are a new incremental change that potentially alter compliance efforts.
  • 1 change has an impact rating of High. This new requirement has a potential high impact on compliance and are can  potentially significant involve effort to achieve or sustain compliance.pa-dss-change-clusters-269x300

5 Evolving (New or Changed) Requirements

  • 4 of these changes have an impact rating of Low (#3, 4, 5, 9, 18 in our analysis)
  • 1 of change has an impact rating of High (#18 in our analysis)

pa-dss-evolving-298x300

There are several other significant differences between PCI DSS V3.1 and PCI DSS V3.2. To see a quick overview of the rest of the changes, read our Change Analysis Brief. If you would like to know every word that changed, read our Change Analysis Document.