Ask the Auditor: PCI Readiness Series – What’s New in PCI DSS 3.2?

PCI Readiness Series: What’s New in PCI DSS 3.2?

Changes You Should Know About in PCI DSS 3.2

In this webinar, our expert panelists will discuss the changes from PCI DSS 3.1 to PCI DSS 3.2, what they mean during a PCI assessment, what you can do to implement these changes, and how to minimize the impact of these changes. There are about 30 controls that we believe may had significant changes, and we try to cover as many as possible in this webinar.

In this webinar, we will discuss the following requirements from PCI DSS 3.2:

1.1.6 – Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.

1.3.5 – Removed reference to stateful inspection and restated as “allow only established connections”.

1.4 – Install a personal firewall software or equivalent functionality on any portable computing devices (including company and/or employee owned) that connect to the Internet when outside the network, and which are also used to access the cardholder data environment (CDE).

2.1 – Hardening of systems now include payment applications.

3.4.1Added note: this requirement applies in addition to all other PCI DSS encryption and key management requirements.

6.4.6 – Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable.

6.5 – Train developers at least annually in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities.

8.1.5 – Manage IDs used by third parties to access, support, or maintain system components via remote access.

8.3.1 – Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.

8.3.2 – Incorporate multi-factor authentication for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside the entity’s network.

9.1.1 – Use either video cameras or access control mechanisms (or both) to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law.

11.2.1 – Perform quarterly internal vulnerability scans. Address vulnerabilities and perform rescans to verify all “high-risk” vulnerabilities are resolved in accordance with the entity’s vulnerability ranking (per Requirement 6.1). Scans must be performed by qualified personnel.

12.6 – Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.

12.8.1 – Maintain a list of service providers including a description of the service provided.

12.10.2Review and test the plan at least annually, including all elements listed in Requirement 12.10.1.

This webinar also covers requirement changes specifically for services providers. Note that the following requirements are considered best practice until January 31, 2018, after which they will become requirements:

3.5.1 – Maintain a documented description of the cryptographic architecture.

10.8 – Implement a process for timely detection and reporting of failures of critical security control systems.

10.8.1 – Respond to failures of any critical security controls in a timely manner.

11.3.4.1 –  If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.

12.11 – Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures.

To learn more about PCI compliance, check out our PCI Demystified video resources or contact us today.