On May 17, 2018, the PCI DSS council published an updated standard. The updated standards document and summary of changes document are available at https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss
This update consists of clarification statements to remove references to effective dates and Secure Socket Layer (SSL)/early Transport Layer Security (TLS) migration deadlines that have passed. No new requirements are added in PCI DSS v3.2.1. PCI DSS v3.2 remains valid through 31 December 2018 and will be retired as of 1 January 2019.
Additional clarification updates were made relating to requirements that had effective dates of February 1, 2018.
These were listed in the press release from the council as follows:
- Updates to applicable requirements and Appendix A2 to reflect that only POS POI (point of sale point of interaction) terminals and their service provider connection points may continue using SSL/early TLS as a security control after 30 June 2018.
- Removal of multi-factor authentication (MFA) from the compensating control example in Appendix B, as MFA is now required for all non-console administrative access; addition of one-time passwords as an alternative potential control for this scenario.
Assessor Guidance on NIST password requirement changes
In May, the PCI DSS Council provided guidance to assessors on evaluating compliance with PCI DSS password requirements in companies implementing the latest NIST guidance on passwords. See our blog post NIST Digital Identity Guidelines with New “Memorized Secrets” Recommendations published in January for details on the NIST published guidelines.
During a PCI DSS assessment, a QSA is expected to evaluate the complete password environment implementation to ensure that compensating controls are implemented to compensate for the implementation’s removal of frequent password changes. QSA’s will be looking for documented additional controls to accompany the removal of frequent password changes.