Presentation is loading. Please wait.

Presentation is loading. Please wait.

Summary of Changes PCI DSS V. 3.1 to V. 3.2

Published byAdam Parsons Modified over 6 years ago

Similar presentations

Presentation on theme: "Summary of Changes PCI DSS V. 3.1 to V. 3.2"— Presentation transcript:

1 Summary of Changes PCI DSS V. 3.1 to V. 3.2
Version 3.2 voluntary through October 31, Mandatory thereafter

2 Not a Major New Version The standard is mature
Most changes are cosmetic or are clarifications of version 3.1 Incorporates interim deadlines as final deadlines (SSL/TLS issue) Changed terminology use from “two-factor” authentication to “multi-factor” authentication Clarified that patching all software includes payment applications Created new Appendix A2 to address SSL/Early TLS issue Added new Appendix A3 to include Designated Entity Supplemental Validation requirements

3 Areas of Emphasis There are several new areas of emphasis in Version 3.2 Change management Administrative access Incident response Ecommerce, particularly A-EP environments

4 Version 3.2 SAQs No new SAQ versions, but changes to existing ones
# Questions V3.1 # Questions V3.2 Difference SAQ D-SP 347 369 +22 SAQ D-MER 326 331 +5 SAQ C 139 162 +23 SAQ A-EP 193 +54 SAQ B-IP 83 84 +1 SAQ C-VT 73 80 +7 SAQ B 41 SAQ P2PE-HW 35 33 -2 SAQ A 14 22 +8 SAQ A-EP now defines the merchant web site as the CDE, so there are significantly more controls that must be met within the A-EP environment. Much more emphasis in the A-EP on the firewall (Requirement 1), secure coding (Requirement 6), access to systems (Requirement 8), auditing of access to system(s) (Requirement 10), intrusion detection (Requirement 11).

5 Masking PAN Displaying the Primary Account Number (PAN)
Current requirement is no more than first six and last four digits of PAN can be displayed 123456XXXXXX1234 Any display of more digits of PAN require a legitimate business need Requirement 3.3

6 Change Control Additional change control requirement
Change control processes must include verification of PCI DSS requirements impacted by a (significant) change All relevant controls must be implemented on all new or changed systems Documentation must be updated as applicable Requirement 6.4.6 Effective February 1, 2018

7 Remote Administrative Access to CDE
For any non-console administrative access to CDE: All non-console access into CDE for personnel with administrative access must use multi-factor authentication (8.3.1) Current requirement for multi-factor authentication for remote access to CDE for personnel with administrative access still applies (8.3.2) Requirement 8.3.1 Best practice until January 31, 2018, then mandatory thereafter

8 High Risk Vulnerabilities
Vulnerabilities must be integrated into the risk assessment process Clarification that all “high risk” vulnerabilities must be addressed for internal scans In accordance with the entity’s vulnerability ranking (as per Requirement 6.1) Remediation must be verified by rescans Requirement

9 Appendix A1 – Shared Hosting Providers
Additional requirements for Service Providers (including Shared Hosting Providers) Must maintain documented description of cryptographic architecture Requirement 3.5.1; best practice until January 31, 2018, then mandatory thereafter Detect and report on failures of critical security control systems Requirement 10.8, effective February 1, 2018 Perform penetration testing on segmentation controls at least every six months Requirement , effective February 1, 2018 Service Provider Executive Management to establish responsibilities for protection of cardholder data and PCI DSS compliance program Requirement 12.4, effective February 1, 2018 Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures Requirement 12.11, effective February 1, 2018

10 Appendix A2– SSL/Early TLS
Incorporate requirements around insecure SSL/Early TLS New system implementations must not use SSL or early TLS (1.0) If TLS 1.1 is deprecated by the National Institutes for Standards and Technology (NIST), then TLS 1.1 must no longer be used by the deprecation effective date All service providers must provide a secure service offering by June 30, 2016 After June 30, 2018, all entities must have stopped use of SSL/Early TLS If SSL/Early TLS is being used, must have BOTH: Mitigation plan to compensate for the risk of SSL/Early TLS Migration plan to get off of SSL/Early TLS no later than June 30, 2018

11 Appendix A3 – DESV Requirements
Designated Entities Supplemental Validation (DESV) requirements are now officially incorporated into the DSS Any entity touching cardholder data can be designated a “Designated Entity” by the payment brand(s) or the Acquirer For storing, processing, and/or transmitting large volumes of cardholder data Providing aggregation points for cardholder data Suffering significant or repeated breaches of cardholder data Does NOT add any new requirements to the DSS Enhances the documentation / processes already required

12 Resources Documents available from the PCI Security Council website at: PCI DSS V3.2 PCI DSS Summary of Changes, V3.1 to V3.2 Prioritized Approach for PCI DSS V3.2 Prioritized Approach Tool V3.2 Glossary of Terms, Abbreviations, and Acronyms V3.2

13 For More Information For additional information or if you have any questions, please contact Coalfire through: Joseph D. Tinucci, CTP, QSA, CISSP Jon Bonham, CISA, QSA Dirk Anderson, CRISC, CISA, QSA, ASV

Download ppt "Summary of Changes PCI DSS V. 3.1 to V. 3.2"

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Session 4: Data Privacy and Fraud Moderator: Bill Houck, Director, Risk Management, UATP Panelist: Peter Warner, EVP, Retail Decisions Cherie Lauretta,

Session 4: Data Privacy and Fraud Moderator: Bill Houck, Director, Risk Management, UATP Panelist: Peter Warner, EVP, Retail Decisions Cherie Lauretta,
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.

.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
PCI DSS for Retail Industry

PCI DSS for Retail Industry
Protecting Credit Card Information

Protecting Credit Card Information
Navigating the New SAQs (Helping the 99% validate PCI compliance)

Navigating the New SAQs (Helping the 99% validate PCI compliance)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
University of Utah Financial and Business Services

University of Utah Financial and Business Services
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
PCI DSS Version 3.0 For Controllers and Business Users Luke Harris, Office of State the Controller David Reavis, UNC General Administration November 10,

PCI DSS Version 3.0 For Controllers and Business Users Luke Harris, Office of State the Controller David Reavis, UNC General Administration November 10,
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Visa Cemea Account Information Security (AIS) Programme

Visa Cemea Account Information Security (AIS) Programme
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
Kevin R Perry August 12, 2014. Part 1: High Level Changes & Clarifications.

Kevin R Perry August 12, Part 1: High Level Changes & Clarifications.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Similar presentations

Ads by Google