On May 17, 2018, the Purchase Card Industry Security Standards Council (PCI SSC) released version 3.2.1 of its PCI Data Security Standard (PCI DSS). Founded in 2004 by Visa, MasterCard, Discover, and American Express, the PCI SSC produces the “best practices” for enhancing the security of payment card and cash card exchanges, as well as ensuring consumer protection against abuse of personal data. This new version replaces v3.2 and remains valid through December 31, 2018. The primary purpose of this update is to amend phrasing in PCI DSS v3.2 to eliminate confusion around effective dates for requirements introduced in that version.

Importantly, v3.2.1 seeks to also clarify the migration requirements surrounding the Secure Socket Layer (SSL)/early Transport Layer Security (TLS) technologies. Overall, these changes are intended to reflect how existing requirements are affected once the effective dates and the SSL/TLS deadlines have passed, allowing organizations to accurately report how their implementations meet the existing requirements after June 30, 2018. The changes include:

  • Removal of notes referring to an effective date of February 1, 2018 for applicable requirements, as this date has passed.
  • Updates to applicable requirements and Appendix A2 to reflect that only point of sale point of interaction (POS POI) terminals and their service provider connection points may continue using SSL/early TLS as a security control after June 30, 2018.
  • Removal of multi-factor authentication (MFA) from the compensating control example in Appendix B, as MFA is now required for all non-console administrative access; addition of one-time passwords as an alternative potential control for this scenario.

Further, the updates in v.3.2.1 do not affect Payment Application Data Security Standard (PA-DSS), which remains as implemented in v3.2.

The full summary of changes from v3.2 to v3.2.1.

To view the entirety of v3.2.1, click here.

By Karen Painter Randall of Conell Foley