PCI DSS v. 3.2: New Requirements Coming to Protect Your Customers’ Wallets

The Payment Card Industry (PCI) Security Standards Council (PCI Council) released Version 3.2 of the PCI Data Security Standard (PCI DSS), containing several new requirements for merchants, acquirers, and other entities that accept, transmit or store cardholder data in order to protect customer payment card information.  The new release focuses on mitigating current vulnerabilities identified in data breach reports, including those presented by third party service providers, authentication protocols, and outdated encryption.  The changes are also intended to help companies maintain and effectively test compliance between annual PCI assessments. Among its changes, Version 3.2 will require multi-factor authentication for administrative access to the cardholder data environment, impose several new requirements specific to service providers, and extend the Secure Sockets Layer (SSL)/early Transport Layer Security (TLS) for non-service providers to June 30, 2018.

Version 3.2 will officially replace the current PCI DSS Version 3.1 on October 31, 2016, but many of Version 3.2’s new requirements will be deemed “best practices” until compliance becomes mandatory on February 1, 2018. While the compliance deadline may seem far away today, some of the required changes – such as negotiating new contracts or replacing authentication systems and processes – may take a considerable amount of time to implement. Companies should use this two-year window to review their security practices and make all necessary changes to guarantee adherence once Version 3.2 goes live, and avoid potential con-compliance fines from the payment card brands.

Please click here to read our in-depth analysis of the PCI DSS Version 3.2 and the impact its changes may have on your business, developed in conjunction with and published by NetDiligence, an enterprise-level cyber risk assessment and data breach services company.