PCI DSS 3.1 and 3.2 – Changes Explained
PCI DSS version 3.2 is the latest iteration of the payment security standard introduced by the PCI Security Standards Council to safeguard the transmission and storage of payment card data.
PCI DSS version 3 was published in November 2013.
In April 2015, version 3.1 (and supporting guidance) was published to address vulnerabilities within the Secure Sockets Layer (SSL) encryption protocol that can put payment data at risk. Version 3.1 provides minor updates and clarifications to version 3.
In December 2015, a bulletin was published to extend the deadline for Secure Sockets Layer (SSL)/early Transport Layer Security (TLS) migration, and in April 2016 version 3.2 was finalised to include the revised migration dates and address changes in the threat and payment acceptance landscape.
Version 3.1 will be retired on 31 October 2016. The latest version of the PCI DSS was published in May 2016.
Stronger definition of cryptography
Version 3.1 was introduced after security alerts found that SSL (Secure Socket Layer) as an encryption protocol was not acceptable for the protection of data due to inherent weaknesses that were exploited by browser attacks such as POODLE and BEAST. Updates to the PCI DSS were needed to address this issue. Version 3.1 called for upgrades to a more secure protocol, or TLS (Transport Layer Security).
In April 2015, the PCI SSC removed SSL as an example of cryptography, stating that it can no longer be used as a security control after 30 June 2016.
In December 2015, the PCI Council issued a bulletin to extend the final migration date to 30 June 2018 for transitioning from Secure Sockets Layer (SSL) and Transport Layer Security (TLS) v1.0 to a secure version of TLS (currently v1.1 or higher).
The following requirements of PCI DSS were affected by version 3.1
2.2.3 (encryption for VPNs, NetBIOS, file sharing, Telnet, FTP and similar services)
2.3 (encryption for web-based management and other non-console administrative access)
4.1 (encryption of cardholder data during transmission over open, public networks)
A summary of changes from version 3.0 to version 3.1
Download here. (Agreement required)
A summary of changes from version 3.1 to version 3.2
Read the post.
How should you align to versions 3.1 and 3.2?
PCI DSS v3.1 mandates the creation of a formal risk mitigation and migration plan for existing implementations that use SSL and/or early TLS.
Point-of-sale (POS)/point-of-interaction (POI) terminals that have been verified as not being susceptible to all known exploits for SSL and early TLS may continue using these protocols as a security control after 30 June 2016. Organisations will be required to show how they intend to meet the mandated target migration deadline of 30 June 2016.
The full set of changes related to PCI DSS version 3.2 were published in May 2016.
The new requirements introduced in the PCI DSS will be considered best practices until 31 January 2018. Starting 1 February 2018 they will be effective as requirements.
Further information about the broad changes introduced by PCI DSS v3 that are still applicable in v3.2
Provides stronger focus on some of the greater risk areas in the threat environment.
Provides increased clarity on PCI DSS and PA-DSS requirements.
Builds greater understanding on the intent of the requirements and how to apply them.
Improves flexibility for all entities implementing, assessing and building in accordance with the Standard.
Drives more consistency among assessors.
Helps manage evolving risks/threats.
Aligns with changes in industry best practices.
Clarifies scoping and reporting.
Eliminates redundant sub-requirements and consolidates documentation.
Changes to the standards have been classified as “Clarification”, “Additional Guidance” and “Evolving Requirement”. The evolving requirements are to ensure that the standards are up to date with emerging threats and changes in the market such as mobile acceptance and Cloud computing. Throughout PCI DSS versions 3.1 and 3.2 there are key themes designed to help organisations take a proactive approach to cardholder data security.
Education and awareness
Lack of education and awareness around payment security, coupled with poor implementation and maintenance of the PCI standards, gives rise to too many of the security breaches happening today. Updates to the standards are geared towards helping organisations better understand the intent of requirements and how to implement and maintain controls properly across their business. Changes to the PCI DSS and PA DSS will help drive education and build awareness internally and with business partners and customers.
Changes to the standards focus on some of the most frequently seen risks that lead to incidents of cardholder data compromise, such as weak passwords and authentication methods, malware and poor self-detection, providing added flexibility on ways to meet the requirements. Increased flexibility will enable organisations to take a more customised approach to addressing and mitigating common risks and problem areas. At the same time, more rigorous testing procedures for validating proper implementation of requirements will help organisations drive and maintain controls across their business.
Security as a shared responsibility
Securing cardholder data is a shared responsibility. Today’s payment environment has become ever more complex, creating multiple points of access to cardholder data. Changes introduced with PCI DSS and PA DSS focus on helping organisations understand their organisation’s PCI DSS responsibilities when working with different business partners to ensure cardholder data security.
As an approved QSA company, IT Governance is ideally positioned to help organisations comply with the requirements of the updated versions of the PCI DSS.
For more information call us on +44 (0)845 070 1750 or email firstname.lastname@example.org.
PCI DSS Resources
PCI penetration tests
PCI DSS training courses
PCI DSS toolkit
PCI DSS books
PCI DSS software scanning tools