What happens next with the PCI Data Security Standard (PCI DSS)? Here we look at key updates and milestones to help organizations in their PCI DSS and payment security efforts.
1. PCI DSS 3.2 Effective Date for New Requirements has Come and Gone
February 1, 2018 marked the date that all new requirements introduced in PCI DSS version 3.2 must be adopted by organizations and included in their PCI DSS assessments.
For all organizations:
- Change management processes to confirm that affected PCI DSS requirements are in place after significant change (Requirement 6.4.6)
- Multi-factor authentication for all non-console administrative access (Requirement 8.3.1)
Additional requirements for service providers:
- Maintain a documented description of the cryptographic architecture (Requirement 3.5.1)
- Detect and respond to failures of critical security control systems (Requirements 10.8, 10.8.1)
- Perform penetration testing on segmentation controls at least every six months (Requirement 220.127.116.11)
- Establish a formal PCI DSS compliance program (Requirement 12.4.1)
- Perform reviews at least quarterly to ensure security policies and procedures are followed (Requirements 12.11, 12.11.1)
More information: Summary of Changes from PCI DSS 3.1 to 3.2
2. June 30, 2018 is the Deadline for SSL/Early TLS Migration
Secure Sockets Layer (SSL) and early versions of Transport Layer Security (TLS) are no longer considered secure forms of encryption. It is critically important that organizations upgrade to a secure version of TLS – such as TLS v1.2 or higher – as soon as possible and disable any fallback to SSL/early TLS.
Many PCI DSS requirements require the use of ‘strong cryptography’ as defined in the PCI DSS glossary (See PCI DSS v3.2 Appendix A2 for current requirements on this subject). After 30 June 2018 SSL/early TLS should not be used as a security control to meet any PCI DSS requirements attempting to demonstrate strong cryptography.
Note: POS POI terminals that are verified as not being susceptible to any known exploits, and the service provider termination points to which they connect, may continue using SSL/early TLS as a security control.
More information: PCI SSC Migrating from SSL/Early TLS Resource Guide
3. Minor PCI DSS Revision is Expected this Year
A minor revision to PCI DSS v3.2 is planned for mid-2018. The revision is necessary to account for dates that have already passed, such as the 1 February 2018 effective date for new requirements mentioned above and SSL/early TLS migration dates. No new requirements are planned for this revision.
4. Full PCI DSS Revision is Under Development
Feedback received from Participating Organizations and assessors during the formal PCI DSS feedback period at the end of 2017 is being reviewed and considered for the next major release of the PCI DSS.
As with any standard update, we will keep PCI SSC stakeholders informed on PCI DSS updates as they are finalized and on the anticipated timing of any PCI DSS revisions.