Version 3.2 of the PCI Data Security Standard (PCI DSS) will be retired at the end of 2018. Here are some reminders and resources for organizations completing their transition from PCI DSS version 3.2 to PCI DSS version v3.2.1.
PCI DSS Reminders
January 2019: PCI DSS v3.2 Retired
PCI DSS v3.2 will remain valid through 31 December 2018 and will be retired as of 1 January 2019. Prior to 1 January 2019, entities may validate to either version 3.2 or 3.2.1 of the standard. However, as of 1 January 2019, all validations must be to v3.2.1.
PCI DSS v3.2.1 was published in May 2018, giving organizations six months to complete their transition from v3.2. This transition period was provided to allow organizations time to update their reporting templates and forms. It also provided flexibility for entities whose validations in the latter half of 2018 encompassed the completion of their migration from SSL/early TLS prior to 30 June 2018. Entities looking to validate to version 3.2 of the standard should complete their validation before 1 January 2019.
Reminder: Use of SSL/Early TLS
Secure Sockets Layer (SSL) and Early Transport Layer Security (TLS) may not be used as a security control for PCI DSS, except by point of sale point of interaction (POS POI) terminals that are verified as not being susceptible to known exploits and the termination points to which they connect, as defined in PCI DSS Appendix A2.
If SSL/early TLS is still being used as a security control for PCI DSS, organizations should ensure compensating controls are implemented to mitigate the risk associated with its use and take the necessary steps to migrate to a secure alternative as soon as possible.
PCI DSS Resources
Information Supplements
SSL/Early TLS: Following the release of PCI DSS v3.2.1, PCI SSC published updated guidance on the use of SSL/Early TLS:
- Use of SSL/Early TLS and Impact on ASV Scans: Provides guidance for merchants and service providers using SSL/early TLS after 30 June 2018, and its impact on PCI DSS and ASV scans.
- Use of SSL/Early TLS for POS POI Terminal Connections: Additional guidance specifically for merchants and service providers using SSL/early TLS for card-present POS POI terminal connections after 30 June 2018.
Multi-factor Authentication (MFA):The MFA Information Supplement provides guidance on a number of industry-recognized best practices that should be included as part of a secure MFA implementation. This guidance is intended to help organizations understand the security principles for implementing and adapting MFA solutions effectively in order to better address security risks.
Protecting Telephone-based Payment Card Data: Developed by a PCI SSC Special Interest Group (SIG), the Protecting Telephone-based Payment Card Data Information Supplement explores common risks associated with telephone payment environments and considers how PCI DSS requirements could apply to different scenarios.
Cloud Computing Guidelines: Another PCI SSC SIG initiative, the PCI SSC Cloud Computing Guidelines provides guidance on how the use of cloud computing may affect PCI DSS implementations.
All of these information supplements are available on the PCI SSC Website in the Document Library under “Guidance Documents”.
Note: The information in these documents is intended as supplemental guidance and does not supersede, replace, or extend PCI DSS requirements.
FAQs
The Frequently Asked Questions (FAQ) resource on the PCI SSC website is updated regularly to address common questions PCI SSC receives from stakeholders. This searchable tool includes a library of questions and answers on a variety of topics across PCI Security Standards and programs.
Recent PCI DSS FAQs include:
What version of PCI DSS should I use?
How does PCI DSS Appendix A2 apply after the SSL/early TLS migration deadline?
Is two-step authentication acceptable for PCI DSS Requirement 8.3?
How do PCI DSS Requirements 2, 6 and 8 apply to SAQ A merchants?
How does PCI DSS apply to VoIP
