PCI DSS v3.2.1 – What You Need to Know

May 18, 2018, Karl Steinkamp, Director, PCI Product and Quality Assurance

On Thursday, May 17, the PCI Security Standards Council (PCI SSC) released an updated version of the PCI DSS standard, primarily to include clarifications and minor revisions around controls that referenced SSL/early TLS. The new version removes notes referring to the effective date of February 1, 2018 for applicable requirements, as this date has passed. Unlike prior PCI DSS version updates, this update does not include any new control requirements. With that in mind, there are some key specifics that are applicable to merchants and service providers.   

Service Providers

  1. POS POI termination points, including but not limited to service providers, such as an acquirer or acquirer processor, can continue allowing the use of SSL/early TLS for merchants when it can be shown that the service provider has controls in place that mitigate the risk of supporting those connections for the service provider environment. 
  2. Service providers are required to document and maintain a Risk Mitigation and Migration Plan (RMMP) to detail the controls implemented to mitigate use of the insecure communication channel. Service Providers should also regularly communicate with customers to ensure they are aware of SSL/early TLS risks (applicable to PCI DSS Req. 2.2.3, 2.3, 4.1, Appendix A2).

Merchants

  1. POS POI terminals that are verified to not be susceptible to known exploits are permitted to connect to service provider payment processing endpoints that support early TLS (applicable to PCI DSS Req. 2.2.3, 2.3, 4.1, Appendix A2). 
  2. Should a new exploit be introduced that results in the POS POI being susceptible, the POS POI is required to be updated immediately. 

The new PCI DSS v3.2.1 ‘Requirements and Security Assessment Procedures’ documentation is now available on the PCI SSC website, with the PCI validation templates (ROC, AOC, and SAQ) forthcoming.

Merchants and service providers currently engaged with compliance validation efforts may continue to use PCI DSS v3.2 through 12/31/2018; after which, only PCI DSS v3.2.1 is permitted to be used for compliance validation activities.

While this is a minor update compared to most, with minimal impact to most organizations, the changes are still important to understand. Should you have any questions, we are here to help keep you on a secure path!

Karl Steinkamp

Author

Karl Steinkamp — Director, PCI Product and Quality Assurance

Recent Posts

Post Topics

Archives

Tags

2.0 3.0 access Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff cloud CoalfireOne Compliance credit cards C-Store Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Ed Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi wireless women XSS