According to the PCI Security Standards Council (SSC):
- PCI DSS 3.2 is scheduled for publication at the end of April. Publication will include a summary of changes document and webinar that provides an overview of 3.2 and the timeline and resources for putting it into place.
- PCI DSS 3.2 supporting documents including Self-Assessment Questionnaires (SAQ), Attestation of Compliance (AOC) forms, Report on Compliance (ROC) templates, Frequently Asked Questions (FAQ) and Glossary will also be available at the end of the month.
- The new requirements introduced in PCI DSS 3.2 will be considered “best practices” until February 1, 2018.
Additionally, the SSC has announced that the PCI DSS has reached a point of maturity. Consequently, they no longer plan to release major revisions to the standard on a three-year cycle, but will instead issue releases more often with fewer changes between them.
So what changes are in PCI DSS 3.2?
We won’t know all the details until v3.2 is released later this month, but here is what we do know at present:
- The extension of the SSL/early TLS dates to June 30, 2018 will be reinforced.
- Multi-factor authentication requirements for accessing the cardholder data environment, which were already in place for remote access scenarios, will be extended to include local access.
- Service providers will undergo additional scrutiny of their change management processes, and penetration testing will be required on a more frequent basis.
- There will be some new Appendices in the DSS, including one dedicated to SSL/early TLS and one that brings DESV requirements into the DSS.
- Rules around displaying card numbers will be modified to accommodate an upcoming change to card number standards.
What about the 3.2 SAQs?
According to the SSC, some of the 3.2 Self-Assessment Questionnaires (SAQs) will have more requirements than 3.1 while others will have fewer requirements. In general, however, we anticipate minimal impact to the SAQs. We will provide updates here on PCI Compliance Guide upon their release later this month.
What are the key dates for PCI DSS 3.2?
- April 2016: PCI DSS 3.2, as well as all supporting documents and SAQs, will be released.
- October 2016: PCI DSS 3.1 will retire six months after the release of PCI DSS 3.2, and all assessments or SAQs taken after that time will need to use version 3.2. This is significant for those with year-end annual assessment cycles.
- February 2018: All new requirements within PCI DSS 3.2 will become effective. (Prior to that they will be considered “best practices.”)
No one would call the compliance process fun. In fact, some may think it downright sucks. Learn more about how the PCI DSS applies to your business and ways in which you can simplify the process. Check out the ControlScan blog post, “The Secret to Making Compliance Suck Less.”