PCI Data Security Standard (PCI DSS) version 3.2 is available now. The new version addresses growing threats to customer payment information. Version 3.1 will expire on October 31, 2016.
PCI DSS 3.2 includes new requirements for administrators and services providers, and the cardholder data environments they are responsible to protect.
A significant change in PCI DSS 3.2 includes multi-factor authentication as a requirement for any personnel with administrative access into environments handling card data. Previously this requirement applied only to remote access from untrusted networks. A password alone should not be enough to verify the administrator’s identity and grant access to sensitive information.
The update to the standard is part of the regular process for ensuring the PCI DSS addresses current challenges and threats. This process factors in industry feedback from the PCI Council’s more than 700 global Participating Organizations, as well as data breach report findings and changes in payment acceptance.
Key changes in PCI DSS 3.2 include:
• Revised Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) sunset dates as outlined in the Bulletin on Migrating from SSL and Early TLS
• Expansion of requirement 8.3 to include use of multi-factor authentication for administrators accessing the cardholder data environment
• Additional security validation steps for service providers and others, including the “Designated Entities Supplemental Validation” (DESV) criteria, which was previously a separate document.
For a complete archive of more than 60,000 articles published since 1995 search the CardFlash.com library.