PCI Security Standards Council Releases PCI DSS Version 3.2

The PCI Security Standards Council (PCI SSC) has published the latest version of its data security standard to address increased threats and more sophisticated attacks targeting customer payment information.

Designed to protect payment data before, during and after a purchase, PCI Data Security Standard (PCI DSS) version 3.2 replaces version 3.1, which will expire on October 31, 2016. Companies that accept, process or receive payments should adopt the new version as soon as possible, the Council says.

“The payments industry recognizes PCI DSS as a mature standard, so the primary changes in version 3.2 are clarifications on requirements that help organizations confirm that critical data security controls remain in place throughout the year, and that they are effectively tested as part of the ongoing security monitoring process,” said PCI Security Standards Council General Manager Stephen Orfei.

“This includes new requirements for administrators and services providers, and the cardholder data environments they are responsible to protect,” Orfei added. “PCI DSS 3.2 advocates that organizations focus on people, process and policy, with technology playing an important role in reducing the overall cardholder data footprint.” 

Key changes in PCI DSS 3.2 include:

Revised Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) sunset dates as outlined in the Bulletin on Migrating from SSL and Early TLS

Expansion of requirement 8.3 to include use of multi-factor authentication for administrators accessing the cardholder data environment

Additional security validation steps for service providers and others, including the “Designated Entities Supplemental Validation” (DESV) criteria, which was previously a separate document.

“These new guidelines will marginally improve PCI security or prevent breaches,” John Bambenek, Threat Systems Manager of Fidelis Cybersecurity, told SecurityWeek. “No compliance regime is ever truly successful in preventing breaches. Attackers will continue to try – some successfully – to breach networks to obtain valuable information.”

However, Bambenek says there is some good brought about by the latest security requirements. “The use of two-factor authentication for access into financially significant environments is something we’ve been advocating for almost ten years,” he said.  

“Requiring actual penetration tests, versus scanning, is also a great leap forward,” Bambenek says. “Static vulnerability scanners can miss a great deal, and the move to penetration tests shifts the focus from retrospective testing to what an attacker can actually do.”

The full details on PCI DSS version 3.2, including a Summary of Changes document, are available online.