Version 3.2 of the PCI Data Security Standard (PCI DSS) was retired at the end of 2018.
Here are some reminders and resources for organizations completing their transition from PCI DSS version 3.2 to PCI DSS version v3.2.1.
PCI DSS Reminders
January 2019: PCI DSS v3.2 Retired
PCI DSS v3.2 will remained valid through December 31, 2018, and will be retired as of January 1, 2019. Prior to January 1, 2019, you may validate to either version 3.2 or 3.2.1 of the standard. However, as of January 1, 2019, all validations must be to v3.2.1.
PCI DSS v3.2.1, which was published in May 2018, gave organizations six months to complete their transition from v3.2. This transition period was provided to allow organizations time to update their reporting templates and forms. It also provided flexibility for entities whose validations in the latter half of 2018 encompassed the completion of their migration from SSL/early TLS prior to June 30, 2018.
Reminder: Use of SSL/Early TLS
Secure Sockets Layer (SSL) and Early Transport Layer Security (TLS) may not be used as a security control for PCI DSS, except by point of sale point of interaction (POS POI) terminals that are verified as not being susceptible to known exploits and the termination points to which they connect, as defined in PCI DSS Appendix A2.
If SSL/early TLS is still being used as a security control for PCI DSS, organizations should ensure compensating controls are implemented to mitigate the risk associated with its use and take the necessary steps to migrate to a secure alternative as soon as possible.
PCI DSS Resources
Information Supplements
SSL/Early TLS: Following the release of PCI DSS v3.2.1, PCI SSC published updated guidance on the use of SSL/Early TLS:
- Use of SSL/Early TLS and Impact on ASV Scans: Provides guidance for merchants and service providers using SSL/early TLS after 30 June 2018, and its impact on PCI DSS and ASV scans.
- Use of SSL/Early TLS for POS POI Terminal Connections: Additional guidance specifically for merchants and service providers using SSL/early TLS for card-present POS POI terminal connections after 30 June 2018.
Multi-factor Authentication (MFA): The MFA Information Supplement provides guidance on a number of industry-recognized best practices that should be included as part of a secure MFA implementation. This guidance is intended to help organizations understand the security principles for implementing and adapting MFA solutions effectively in order to better address security risks.
Cloud Computing Guidelines: Another PCI SSC SIG initiative, the PCI SSC Cloud Computing Guidelines provides guidance on how the use of cloud computing may affect PCI DSS implementations.
All of these information supplements are available on the PCI SSC Website in the Document Library under “Guidance Documents”.