Updated PCI DSS 3.2.1 Standard

Updated PCI DSS 3.2.1 Standard

By Nancy Rand
Posted in Security
On June 28, 2018

On May 17, 2018, the PCI DSS council published an updated standard. The updated standards document and summary of changes document are available at https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss

This update consists of clarification statements to remove references to effective dates and Secure Socket Layer (SSL)/early Transport Layer Security (TLS) migration deadlines that have passed. No new requirements are added in PCI DSS v3.2.1. PCI DSS v3.2 remains valid through 31 December 2018 and will be retired as of 1 January 2019.

Additional clarification updates were made relating to requirements that had effective dates of February 1, 2018.

These were listed in the press release from the council as follows:

  • Updates to applicable requirements and Appendix A2 to reflect that only POS POI (point of sale point of interaction) terminals and their service provider connection points may continue using SSL/early TLS as a security control after 30 June 2018.
  • Removal of multi-factor authentication (MFA) from the compensating control example in Appendix B, as MFA is now required for all non-console administrative access; addition of one-time passwords as an alternative potential control for this scenario.

Assessor Guidance on NIST password requirement changes

In May, the PCI DSS Council provided guidance to assessors on evaluating compliance with PCI DSS password requirements in companies implementing the latest NIST guidance on passwords. See our blog post NIST Digital Identity Guidelines with New “Memorized Secrets” Recommendations published in January for details on the NIST published guidelines.

During a PCI DSS assessment, a QSA is expected to evaluate the complete password environment implementation to ensure that compensating controls are implemented to compensate for the implementation’s removal of frequent password changes. QSA’s will be looking for documented additional controls to accompany the removal of frequent password changes.

Nancy Rand

Nancy Rand

Nancy has more than 20 years’ experience in information technology and security, solving business issues and implementing best-practice solutions that support organizational objectives. Her expertise includes leveraging, optimizing, and implementing diverse technology platforms, and management of large-scale technology projects.