Learn what’s changed in the latest version of the PCI DSS.

PCI DSS version 3.2.1

The Payment Card Industry Security Standards Council (PCI SSC) recently announced the release of the PCI Data Security Standard version 3.2.1.

The Council previously released version 3.2 in April of 2016 to replace version 3.1, which brought with it some big changes, among which were new requirements for service providers and additional guidance about multi-factor authentication.

So what has changed between versions 3.2 and 3.2.1?

Changes to standard characterized as "clarifications" 

All of the changes in this latest version 3.2.1 are characterized by the PCI Council as clarification—as
opposed to additional guidance or actual changes in requirements. The intent of clarification from the PCI Council is to ensure that “concise wording in the standard portrays the desired intent of requirements.”

Many of the changes involve simply removing requirements’ effective dates which have passed or correcting minor punctuation and format issues. However, there are a few items of clarification regarding SSL/early TLS and multi-factor authentication that are worth noting:

  • “Appendix A2: Additional PCI DSS Requirements for Entities using SSL/early TLS” has been renamed “Appendix A2: Additional PCI DSS Requirements for Entities using SSL/early TLS for Card-Present POS POI terminal connections.” 

  • In Appendix A2, requirements A2.1 – A2.3 were updated to focus only on the allowance for POS POIs that are not susceptible to known exploits and their service provider termination points to continue using SSL/early TLS.

  • In “Appendix B: Compensating Controls,” Multi-factor authentication was removed from the compensating control example, as MFA is now required for all non-console administrative access. The use of one-time passwords (tokens) as an alternative potential control for this scenario was added.

Stay updated to maintain compliance 

While these changes are not likely to affect your day-to-day data security routines or require much extra time or money, it’s important to use the latest version of the PCI DSS to avoid misunderstandings and potential gaps in security.

You can read a full and detailed summary of changes between PCI DSS version 3.2 and 3.2.1 here.

If you need help with PCI compliance or would like to know more about PCI audits, contact us here.