The PCI Security Standards Council released an update to the PCI Data Security Standard (PCI-DSS) at the end of April. The current version of PCI-DSS is now v3.2. If your organization is required to be PCI compliant, here are some key things to know that will help in the transition to the updated version:
1. Sunrise Period
The new standard has a sunrise period of six months. This means if you have a PCI audit scheduled between now and October 31, 2016, you may choose to have the audit conducted against the PCI-DSS v.3.1 (old version), or v3.2 (current version). After October 31, you must use v3.2.
2. New Requirement Deadlines
A number of new requirements are considered best practices (or recommended) until January 31, 2018, after which they become a requirement. Audits conducted before February 1, 2018 may include an auditor’s note regarding your compliance against these best practices, but they will not affect your certification.
3. SSL/Early TLS 1.0 to TLS 1.2 Deadline
The deadline for moving from SSL/early TLS 1.0 to TLS 1.2 has been extended to June 30, 2018 for all service providers. Prior to June 30, 2018, existing implementations must have a formal Risk Mitigation and Migration Plan in place. The PCI Council created a new appendix (Appendix A2- Additional PCI DSS Requirements for Entities using SSL/Early TLS) to give organizations more clarity on what is required in the interim.
4. Multi-Factor Authentication Requirements
Although not a requirement until January 31, 2018, Requirement 8.3.1 will require all non-console access to have multi-factor authentication. Having previously only required multi-factor authentication for remote access to the CDE, this will likely impact most organizations.
If your organization requires PCI compliance, you should perform your own due diligence and read PCI-DSS 3.2 and the Summary of Changes document to ensure you understand the full scope of changes. We recommend reviewing these new requirements and documenting a roadmap for implementation. Some of them could require significant time and budget due to technological or organizational changes required.
If you are a current ZenGRC customer, please email your ZenGRC Customer Success Manager (support@zengrc.com), who is available for support if you have any questions.