The Payment Card Industry Security Standards Council (PCI SSC) has published a new version of the industry standard that businesses use to safeguard payment data before, during, and after purchase. PCI Data Security Standard (PCI DSS) 3.2 replaces 3.1 to address growing threats to customer payment information. Companies that accept, process or receive payments should adopt it as soon as possible to prevent, detect and respond to cyberattacks that can lead to breaches.
PCI DSS 3.2 addresses clarifications to existing requirements, new or evolving requirements, and offers additional guidance. This information is outlined in the Summary of Changes from PCI DSS 3.1 to PCI DSS 3.2 .
New in PCI DSS 3.2 are five new sub-requirements within the 12 core requirements for PCI DSS for service providers affecting requirements 3, 10, 11 and 12. New sub-requirements have also been added to requirement 8 to ensure multi-factor authentication is used for all non-console administrative access and all remote access in the cardholder environment. Additionally, there are two new appendices.
PCI DSS 3.1 will retire on October 31, 2016. After this date all assessments will need to use version 3.2. Between now and October 31, 2016, PCI DSS 3.1 or 3.2 may be used for PCI DSS assessments. The new requirements in PCI DSS 3.2 are considered best practices until January 31, 2018. Beginning February 1, 2018, they become effective as requirements and must be used.
The supporting documentation supported in PCI DSS 3.2 include updated Self-Assessment Questionnaires, Attestation or Compliance forms, Report on Compliance templates, Frequently asked Questions and Glossary. All of these forms may be found on the PCI SSC website in the documents library (www.pcisecuritystandards.org).