What happens next with the PCI Data Security Standard (PCI DSS)?

The following key updates and milestones are being provided to help you with your PCI DSS and payment security efforts:

PCI DSS 3.2—The Effective Date has Come and Gone

February 1, 2018 marked the date that all new requirements introduced in PCI DSS v3.2 must be adopted by organizations and included in their PCI DSS assessments.

For all organizations:

  • Change management processes to confirm that affected PCI DSS requirements are in place after a significant change (Requirement 6.4.6).
  • Multi-factor authentication for all non-console administrative access (Requirement 8.3.1).

More information: http://www.ewingoil.com/sites/ewingoil.com/files/PCI_DSS_v3-2_Summary_of_Changes.pdf

June 30, 2018 is the Deadline for SSL/Early TLS Migration

Secure Sockets Layer (SSL) and early versions of Transport Layer Security (TLS) are no longer considered secure forms of encryption.  It is critically important that organizations upgrade to a secure version of TLS (such as TLS v1.2 or higher) as soon as possible and disable any fallback to SSL/early TLS.

Many PCI DSS requirements require the use of ‘strong cryptology’ as defined in the PCI DSS glossary.  After June 30, 2018 SSL/TLS should not be used as a security control to meet any PCI DSS requirements attempting to demonstrate strong cryptology.

More information: http://www.ewingoil.com/sites/ewingoil.com/files/PCI_SSC_Migrating_from_SSL_and_Early_TLS_Resource_Guide.pdf

Minor PCI DSS Revision is Expected this Year

A minor revision to PCI DSS v3.2 is planned for mid-2018.  The revision is necessary to account for dates that had already passed, such as the February 1, 2018 effective date for new requirements mentioned above and SSL/early TLS migration dates.  There are no new requirements planned for this revision.

Full PCI DSS Revision is Under Development

Feedback received from participating organizations and assessors during the formal PCI DSS feedback period at the end of 2017 is currently being reviewed and considered for the next major release of the PCI DSS.  As updates are finalized, I will keep you informed on the anticipated timing of any PCI DSS revisions.