Last week the PCI Standards Council commented on the upcoming DSS 3.2 update and what it means for the rest of 2016.
Ever since the sunset of SSL and early TLS was extended in December, the industry has been awaiting the update of the DSS and PA-DSS before June 2016 to adjust the published timelines. We also expected the update would incorporate any feedback that the council has received and remove the pre-June 2015 testing procedures. The good news is that the new update of the standard goes further and includes the following:
- DSS 3.2 will be the only update that will be released this year, and will be available this spring, rather than an additional version (4.0) in November. DSS 3.1 will be retired within 3 months of the release of 3.2
- Furthermore major updates may not be on the table for a while as the PCI SSC has acknowledged the standard has attained a level of maturity they are comfortable with.
- New requirements will be added and the PCI SSC has indicated that they will allow “long sunrise dates” to permit organizations to evaluate, prioritize, and implement.
- Some potential upcoming changes were indicated:
- “...additional multi-factor authentication for administrators within a Cardholder Data Environment...” which suggests that recent breaches have found weaknesses with administrator CDE access
- Some aspects of the Designated Entities Supplemental Validation (DESV) criteria for service providers which enforces the idea of PCI Business as Usual (BAU). DESV was introduced in 2015 as an exceptional standard for high risk entities (e.g. very high volume, aggregation, and breached organizations), and changes to masking requirements for displayed PAN
The addition of new requirements may also impact any organizations that have compensating controls in place using any of the new controls. The team at Control Gap will be monitoring updates and will provide analysis and commentary when 3.2 arrives.
Robert Spivak
