Security Experts:

Connect with us

Hi, what are you looking for?



PCI Security Standards Council Releases PCI DSS Version 3.2

The PCI Security Standards Council (PCI SSC) has published the latest version of its data security standard to address increased threats and more sophisticated attacks targeting customer payment information.

The PCI Security Standards Council (PCI SSC) has published the latest version of its data security standard to address increased threats and more sophisticated attacks targeting customer payment information.

Designed to protect payment data before, during and after a purchase, PCI Data Security Standard (PCI DSS) version 3.2 replaces version 3.1, which will expire on October 31, 2016. Companies that accept, process or receive payments should adopt the new version as soon as possible, the Council says.

PCI Security Standards Council “The payments industry recognizes PCI DSS as a mature standard, so the primary changes in version 3.2 are clarifications on requirements that help organizations confirm that critical data security controls remain in place throughout the year, and that they are effectively tested as part of the ongoing security monitoring process,” said PCI Security Standards Council General Manager Stephen Orfei.

“This includes new requirements for administrators and services providers, and the cardholder data environments they are responsible to protect,” Orfei added. “PCI DSS 3.2 advocates that organizations focus on people, process and policy, with technology playing an important role in reducing the overall cardholder data footprint.” 

Key changes in PCI DSS 3.2 include:

Revised Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) sunset dates as outlined in the Bulletin on Migrating from SSL and Early TLS

Expansion of requirement 8.3 to include use of multi-factor authentication for administrators accessing the cardholder data environment

Additional security validation steps for service providers and others, including the “Designated Entities Supplemental Validation” (DESV) criteria, which was previously a separate document.

“These new guidelines will marginally improve PCI security or prevent breaches,” John Bambenek, Threat Systems Manager of Fidelis Cybersecurity, told SecurityWeek. “No compliance regime is ever truly successful in preventing breaches. Attackers will continue to try – some successfully – to breach networks to obtain valuable information.”

However, Bambenek says there is some good brought about by the latest security requirements. “The use of two-factor authentication for access into financially significant environments is something we’ve been advocating for almost ten years,” he said.  

“Requiring actual penetration tests, versus scanning, is also a great leap forward,” Bambenek says. “Static vulnerability scanners can miss a great deal, and the move to penetration tests shifts the focus from retrospective testing to what an attacker can actually do.”

The full details on PCI DSS version 3.2, including a Summary of Changes document, are available online

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

The Federal Bureau of Investigation (FBI), the Food and Drug Administration Office of Criminal Investigations (FDA OCI), and the US Department of Agriculture (USDA)...