Skip to the main content.
Contact
Contact

1 min read

Just like spring - a new version of PCI DSS will come early this year!

Just like spring - a new version of PCI DSS will come early this year!

Last week the PCI Standards Council commented on the upcoming DSS 3.2 update and what it means for the rest of 2016.

Ever since the sunset of SSL and early TLS was extended in December, the industry has been awaiting the update of the DSS and PA-DSS before June 2016 to adjust the published timelines.  We also expected the update would incorporate any feedback that the council has received and remove the pre-June 2015 testing procedures. The good news is that the new update of the standard goes further and includes the following:

  • DSS 3.2 will be the only update that will be released this year, and will be available this spring, rather than an additional version (4.0) in November. DSS 3.1 will be retired within 3 months of the release of 3.2
  • Furthermore major updates may not be on the table for a while as the PCI SSC has acknowledged the standard has attained a level of maturity they are comfortable with.
  • New requirements will be added and the PCI SSC has indicated that they will allow “long sunrise dates” to permit organizations to evaluate, prioritize, and implement.
  • Some potential upcoming changes were indicated:
  • “...additional multi-factor authentication for administrators within a Cardholder Data Environment...” which suggests that recent breaches have found weaknesses with administrator CDE access
  • Some aspects of the Designated Entities Supplemental Validation (DESV) criteria for service providers which enforces the idea of PCI Business as Usual (BAU). DESV was introduced in 2015 as an exceptional standard for high risk entities (e.g. very high volume, aggregation, and breached organizations), and changes to masking requirements for displayed PAN

The addition of new requirements may also impact any organizations that have compensating controls in place using any of the new controls. The team at Control Gap will be monitoring updates and will provide analysis and commentary when  3.2 arrives.

4 FAQs The PCI Security Standards Council Renamed in 2016

4 FAQs The PCI Security Standards Council Renamed in 2016

Anyone who relies on the PCI FAQ site for guidance may have noticed some changes in the last few months. In fact if you bookmarked some of the links...

Read More
6 Ways to Deal with the Magnitude of PCI DSS

6 min read

6 Ways to Deal with the Magnitude of PCI DSS

Are you new to PCI DSS? Perhaps you need to refresh your approach? If so, this article breaks down 6 strategies that will help you eat the...

Read More
PCI DSS v3.2 - What You Need to Know to Stay PCI Compliant

PCI DSS v3.2 - What You Need to Know to Stay PCI Compliant

To accept credit cards in Canada, businesses need to be PCI compliant. Becoming PCI compliant can be difficult in the first place and keeping up...

Read More