PCI DSS V3.2 – Changes Overview
Almost a year after the release of PCI DSS V3.1 yet another upgraded version has been introduced by the Payment Card Industry Security Standards Council, PCI DSS V3.2. Every time when a new version is released much new functionality will be added and it would focus on some major criteria. When PCI DSS V3.1 was released last year the focus was on Penetration Testing.
PCI DSS has 12 major requirements based on 6 Categories and that the focus was on requirement 11.3 which talks about Penetration Testing. From July 2015 Vendors were asked to implement V3.1 which said that Penetration Testing is not optional but Mandatory.
PCI DSS V3.2 focuses on Encryption Standards and User Authentication. Moreover, Penetration Testing was required to be done twice a year which means every six months Penetration Testing must be done. Previously in PCI DSS V3.1 vendors were advised to conduct PCI Pen Test. There are many other additions to which we will be described later.
In October 2016 PCI DSS V3.1 will be retired and from that time onwards Self-Assessment Questionnaires must follow and use PCI DSS V3.2 as this version has more requirements than the previous version.
PCI Council is planning to make frequent smaller releases rather than releasing major versions in a three-year cycle. This helps in creating security policies according to the day-to-day growing attacks. Even though it is good to have more regulations related to security it is a heavy burden for those who have to comply as implementing every new requirement is not as easy as we think.
Requirements 3, 10, 11, 12 are expanded and few new additions have been done. If you don’t know what is PCI DSS requirements please go through this tutorial PCI DSS Compliance Basic. This gives you a good basic understanding of PCI DSS and its 12 Major Requirements under 6 Categories.
Mentioned below are the few important changes made in PCI DSS V3.2 as mentioned in the PCI Security Standards blog.
New Requirement 6.4.6 states that it is important for organizations to ensure that the security controls are in place following a change in their cardholder data environment.
New requirements 10.8 and 10.8.1 outline that service providers need to detect and report on failures of critical security control systems.
New requirement 11.3.4.1 indicates that service providers need to perform penetration testing on segmentation controls every six months.
New requirement 12.4.1 for executive management of service providers to establish responsibilities and a PCI DSS compliance program.
Requirement 12.11 and 12.11.1 ask that service providers perform quarterly reviews to confirm that personnel is following security policies and operational procedures.