To accept credit cards in Canada, businesses need to be PCI compliant. Becoming PCI compliant can be difficult in the first place and keeping up with the changes even more so. In May 2018 the Payment Card Industry (PCI) Security Standards Council (formed to regulate security for the payment card industry) released an updated list of compliance requirements known as the PCI Data Security Standard (DSS) v3.2.1.
Let us guide you through these new requirements. We found hundreds of wording changes, most of them innocuous and helpful clarifications, however, a small number of these changes will require some attention in order to maintain compliance after December 2018.
This article focuses on changes to the DSS standard. There were also significant changes to the reporting template which we introduce here and will report on more fully in a follow-up article.
Continue reading for everything you need to know about PCI DSS v3.2.1.
The changes in DSS 3.2.1 are mostly administrative clarifications, minor fixes, and clean-up of now-expired future-dated requirements. There were hundreds of wording changes, 4 numbering changes, and 3 testing procedures removed. On the surface, these amount to virtually no impact to customer compliance effort.
The largest impacts we identified in PCI DSS 3.2.1 are actually not due to changes in the DSS itself but the interpretation of the intent. The changes are most evident in the PCI Self-Assessment Questionnaire A (SAQ-A). Whether an entity is completing an SAQ or a Report on Compliance, e-commerce web redirection servers that utilize iframe or Full URL redirection are now subject to increased requirements, now adding requirement patch management (DSS 6.2) to these system components. This slight increase in compliance footprint size may seem small, and for many organizations doing the right thing it won't be a problem. However, since these changes are quietly buried in the SAQ documents and are not part of the announced DSS changes, we anticipate that this seemingly tiny change will catch many service providers and merchants by surprise and will result in compliance validation delays.
Another surprise, is there are significant changes in the reporting instructions that will affect organizations undergoing "level 1" onsite assessments.
In addition to the hundreds of wording changes, 4 numbering changes, and 3 testing procedures removed, there were:
There are several other significant differences between PCI DSS V3.2 and PCI DSS V3.2.1. We have prepared a quick overview of the changes in our Change Analysis Brief. We have also prepared a Before & After Redline View if you would like to see every word that changed.
Given the relatively minor nature of this update we were not expecting a lot a changes to the Reporting Templates. Reporting Templates are mandatory instructions for QSA's working with organizations considered "Level 1's" that must undergo onsite assessments and complete Reports on Compliance. We found there is an increased emphasis on the specifics required in the answers. While we don't believe the intent of the instructions have changed, some organizations may find that RoC's will require additional time and effort to satisfy these changes.
PCI DSS (standard)
PCI DSS Reporting Template