Security Blog

What to expect from PCI DSS 3.2!

PCI DSS 3.2 is coming soon (April-May) and will be effective immediately. The previous standard, PCI DSS 3.1, will coexist for another 3 months before it is put to rest and PCI DSS 3.2 takes over.

A new “Tables of the law” will shed some lights on the SSL/Early TLS chaos that erupted with PCI DSS 3.1. And, an additional appendix detailing the migration process will be added to the RoC for those entities that are still dealing with old SSL or early TLS.

Such migration will have to be completed by June 30th 2018 and not June 30th 2016.

3.2 will also clarify the terminology related to multi-factor authentication in Requirement 8.3. Going forward “multi-factor” terminology will be used instead of “two-factor” authentication for remote access to CDE and it will expand the requirements related to it. All administrative access to CDE will now be required to have multi-factor authentication, (Console access also? Apparently yes, but this is still to be confirmed).

Displaying the PAN will change. It will be possible to display more than the last four/first six digits of the PAN, but it will be allowed only for a documented and specific business need.

Another big impact will be on Service Providers. Requirements will change regarding:

  • Documentation of Cryptographic Architecture (previously it was just mentioned the size of the keys)
  • Detect/Report on failures of critical security control systems
  • Penetration testing on segmentation controls will be required every six months (previously it was once a year)
  • Confirmation that personnel are aware of and following security policies and procedures at least quarterly

Other minor updates will address the drafting of the ROC, such as adding logo to the header of the ROC, but not to the footer. An additional page at the beginning will be allowed, but nothing more.

Many minor updates but, in my opinion, nothing radical. Cautious QSAs can relax for the time being: what is the point of mentioning a cryptographic architecture if you do not detail how it is put in place?

In his comedy Much Ado for Nothing, William Shakespeare wrote about the ability to trick people into confessing what should be kept secret, the misdoing of some incautious QSAs.

In The Name of The Rose, Umberto Eco through the words of the despicable “Jorge the Venerable” said there is no progress in knowledge, only a constant and sublime revisiting, surely not always true, but often true with the truth :).

In PCI DSS 3.2, Shakespeare and Eco would have been happy to see many of their characters’ metaphorical quotes well represented.

  • 24 Solutions AB
  • Smedjegatan 2C
  • SE-13154 Nacka, Sweden
  • +46 (0)8 535 24 100