On February 1, 2018, nine new PCI DSS requirements went into effect. Four months later, the PCI Security Standards Council (SSC) published a minor revision to the PCI DSS.
PCI DSS v3.2.1 replaces v3.2 and addresses effective dates and Secure Socket Layer (SSL)/early Transport Layer Security (TLS) migration deadlines that have passed. Though PCI DSS v3.2.1 does not introduce any new requirements, let’s discuss the minor revisions made, when they go into effect, and what you need to do to ensure compliance with this new version of the PCI DSS.
What Changes Are Addressed In PCI DSS v3.2.1?
In the summary of changes provided by the PCI SSC, PCI DSS v3.2.1 seeks to clarify the intent of the requirements and make the document more user-friendly. The clarifications in the new version of PCI DSS include updates to:
- PCI Requirements 2.2.3, 2.3, and 4.1: PCI DSS v3.2.1 no longer includes the note and testing procedure regarding the use of Appendix A2 to report SSL/early TLS migration effort because the migration deadline has already passed.
- PCI Requirements 3.5.1, 6.4.6, 8.3.1, 10.8, 10.8.1, 18.104.22.168, 12.4.1, 12.11, and 12.11.1: Because these requirements went from being best practices to requirements on February 1, 2018, PCI DSS v3.2.1 no longer needs a note addressing the effective date of these requirements as it has already passed.
- PCI Requirement 3.6.2: PCI DSS v3.2.1 addresses an error in the guidance, changing a reference from PCI Requirement 3.5.1 to 3.5.2.
- Appendix A2: The new version of PCI DSS notes that the SSL/early TLS migration date has already passed. PCI DSS v3.2.1 also updates Requirements A2.1 – A2.3 “to focus only on the allowance for POS POIs that are not susceptible to known exploits and their service provider termination points to continue using SSL/early TLS.”
- Appendix B: Appendix B in PCI DSS v3.2.1 has been updated to clarify the intent of the requirement, and also updates MFA rules. The summary states, “Removed MFA from the compensating control example, as MFA is now required for all non-console administrative access. Added use of one-time passwords as an alternative potential control for this scenario.”
Learn more about each PCI DSS requirement with our PCI demystified webinar series.
When Does PCI DSS v3.2.1 Go Into Effect?
PCI DSS v3.2 will remain valid through December 31, 2018 and will be retired on January 1, 2019. Prior to the effective date, entities can validate to either standard; however, as of January 1, 2019, all entities must validate to at least PCI DSS v3.2.1.
According to Troy Leach, the PCI SSC Chief Technology Officer, there is a six-month transition period beginning July 1, 2018 for entities transitioning between PCI DSS v3.2 and v3.2.1.
How Can I Ensure That I Am Compliant With PCI DSS v3.2.1?
To ensure compliance with the new version of PCI DSS, you should be working during the six-month transition period to:
- Update your reporting templates and forms
- Complete your migration from SSL/early TLS prior to June 30, 2018
- Finish validations for 2018 using the standard that best addresses your organization’s reporting needs
- Enforce v3.2.1 by January 1, 2019
If you have questions about how these updates to the PCI DSS will impact your compliance or need additional help with implementation, contact us today.