PCI DSS 3.2 Release

April 12, 2016 3:13 pm

PCI DSS 3.2 – What Changes You Should Expect ?

You may have heard that the PCI Security Standards Council (PCI SSC) is planning to release PCI DSS 3.2 in April 2016. But what does this mean? How much will you need to change at your business ? Why are they releasing it early? Here are some things you should know.

The PCI Security Standards Council has decided to release PCI DSS 3.2 in advance of the next major release.  The primary driver was to publish updates to the requirements for migration of TLS (Transport Layer Security).  Since the deadline for implementation has been changed from June 2016 to June 2018, the PCI SSC wanted to ensure merchants were aware of that.  There are also some other minor changes to the standard incorporated with the relese of PCI DSS 3.2.

Let’s take a closer look at some of the changes expected to be introduced with PCI DSS 3.2.

PCI DSS 3.2 – Multi-factor authentication requirements revised
PCI DSS 3.2 will include additional multi-factor authentication requirements for Administrators within a Cardholder Data Environment (CDE). Multi-factor or two-factor authentication is an effective way to secure your CDE and is a requirement under PCI DSS. To properly configure two-factor authentication, you must have two of three things:
• Something you know (username, password, etc.)
• Something you have (a certificate or code from a code generator)
• Something you are (Fingerprint and other biometrics)
Prior to PCI DSS 3.2, multi-factor authentication was only required for remote access to the network by employees, administrators, and third parties. But now, even if your connection is within the CDE, multi-factor authentication is required. As with all the PCI DSS requirements, this is a reflection of the current threat landscape. These changes helps strengthen security within your CDE.

Incorporating Designated Entities Supplemental Validation into PCI DSS
PCI DSS 3.2 is likly to incorporate some additional validation procedures for Service Providers. In addition to full PCI DSS validation, designated entities as determined by Acquirers or Card Schemes are required to undertake additional validation to determine whether the business’s day-to-day practices are reflective of their compliance status.
The additional validation procedures are for designated entities to ensure they remain PCI DSS compliant on a day-to-day basis.
An example would be looking at a list of all the change controls in a merchant’s environment for the past year. These procedures could include anything that shows the day-to-day compliance. Some examples include:
• Enhanced documentation
• Suspicious events mapped
• Validation of logical access to CDE controlled and managed effectively

Clarifying masking criteria
PCI DSS 3.2 will clarify masking criteria for primary account numbers (PAN) when displayed or stored. Masking is described as hiding information from view, an example of a masked PAN is 5353 16## #### 0316. Masked PANs are not considered cardholder data, so can be stored unencrypted. Masked PANs can include at most, the first six and the last four digits. If more numbers are displayed, it is not considered to be masked and all the PCI DSS requirements such as logging of access, protection in storage and transmission apply.

Revised TLS migration deadline date
In December 2015, the migration dates for organisations to move from SSL and early TLS to the latest secure version of TLS were changed from June 2016 to June 2018. The PCI Secuirty Standards Council wanted to reflect that date change in the latest version of PCI DSS.
Many businesses are still electing to address this requirement as soon as possible, as use of SSL encryption is now a known risk since it has many exploitable vulnerabilities. Even though the deadline has been extended, we woudl still recommend that migration to current TLS be performed as soon as possible.

Preparing for PCI DSS 3.2
Many of the additional changes in PCI DSS 3.2 are expected to be additional information and clarification which are not expected to have an adverse impact on PCI DSS compliance. Depending on your business model and technology, some changes will need to be considered. To prepare for PCI DSS 3.2, we suggest you look at how two-factor authentication is used, ensure that your day-to-day processes reflect PCI DSS compliance, and plan to migrate to the current versions of TLS as soon as possible.

For further detail on how the expected changes to PCI DSS might impact your PCI DSS compliance status, please call us on 1800 816 044.

Kelvin Heath
Chief Security Officer