See what changes PCI 3.2 brings and what you’ll need to do. 

By: George Mateaki
SEE ALSO: PCI DSS 3.2 Changes: What Your Business Needs to Know

You may have heard the PCI Council is releasing PCI DSS 3.2 in April 2016.  But what does this mean? How much will you need to change at your business? Why are they releasing it early? Here's some things you should know.

Instead of releasing the latest version in November, like they usually do, the PCI council has decided to release 3.2 early for a few reasons. One is to incorporate the updates to the migration to TLS updates. Since the date has been changed from June 2016 to June 2018, the council wanted merchants to be aware of that. The other reason is the changes to the standard were fairly minor. So instead of releasing PCI 4.0, they opted to go for PCI 3.2.
What changes should we expect with PCI DSS 3.2?
Let's take a closer look at some of the expected new changes from PCI DSS 3.2.

pci 3.2 Multi-factor authentication required in and out 

3.2 will evaluate additional multi-factor authentication for administrators within a Cardholder Data Environment (CDE). Multi-factor, or two-factor authentication is an effective way to secure your CDE, and is a requirement under PCI DSS. To properly configure two-factor authentication, you must have two of three things:
  • Something you know (username, password, etc.)
  • Something you have (getting a code from your phone)
  • Something you are (Fingerprint and other biometrics) 
SEE ALSO: New Multi-Factor Authentication Clarification and Supplement: The Principles You Should Know

Prior to PCI DSS 3.2, multi-factor authentication was just required for remote access to the network by employees, administrators, and third parties. But now, even if your connection is within the CDE, you need to do multi-factor authentication. As with all the PCI DSS requirements, this is a reflection of the current threat landscape. These changes helps strengthen security within your CDE as well as outside it.

SEE ALSO: 2 Things You Should Know about PCI 3.2 Multi-Factor Authentication Updates

Incorporating Designated Entities Supplemental Validation into PCI DSS 

3.2 may be incorporating some extra validation procedures for service providers. In addition to full PCI DSS validation, designated entities determined by acquirers or payment brands must have some additional validation that determines whether a business’s day-to-day practices are reflective of their compliance.

The additional validation procedures are for designated entities to ensure they are PCI compliant on a day-to-day basis.

An example would be looking at a list of all the change controls in a merchant’s environment for the past year. These procedures could include anything that shows the day-to-day compliance. Some examples include:
  • Enhanced documentation
  • Suspicious events mapped
  • Validation of logical access to CDE controlled and managed effectively

Clarifying masking criteria

3.2 will clarify masking criteria for primary account numbers (PAN) when displayed. Masking is described as hiding information from view. Take note, this is not the same as encryption. When displaying a credit card number, you are allowed to display, at a maximum, the first six and last four numbers.  If you go beyond these requirements, you’re not compliant.

Whether or not you should display less PAN numbers could depend on various legal requirements. Another note worthy item that relates, if your business stores PAN, you’re also required to encrypt and properly secure it.

SEE ALSO: How Much Credit Card Data do You Store? (It’s More Than You Think)

Updated migration dates 

In December 2015, the migration dates for companies to move from SSL and early TLS to the latest version of TLS were moved up from June 2016 to June 2018. The PCI Council wanted to reflect that date change in the latest version of PCI DSS.

Many businesses are opting to stick to the old date so they don’t have to deal with the extra exposure. Having SSL encryption is very risky to security since it has many exploitable vulnerabilities. So even though the deadline has been extended, it’s a good idea to make those changes as soon as possible.

Get ready for 3.2 

Most of these changes are smaller things that may or may not affect your business, depending on your unique processing environment. To prepare for these changes, I would look at where you’re implementing multi-factor authentication, see if your day-to-day actions reflect PCI compliance, and make sure your business will migrate to current versions of TLS on time.

Additionally, make sure you’re up to date on the most current PCI version, since it will help you be more ready for the new changes PCI 3.2 will bring. It will save you time and money.

Need help getting compliant? Check out our PCI compliance solutions!  

George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT. 

pci learning center, Securitymetrics