PCI DSS 3.2.1: What Your Business Needs To Know
June 29, 2018
Herjavec Group Contributor: David Mundhenk, CISSP, PCI QSA, PCIP
The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide standard, published and maintained by the PCI Security Standards Council (SSC). It is endorsed and enforced by all major credit card brands and their approved acquirers, and is intended to protect cardholder data wherever it is processed, stored, or transmitted.
PCI DSS version 3.2 was mandatory for all assessments with a report date after October 31, 2016 and had mandatory requirements effective February 1, 2018. A summary of those requirements can be reviewed in detail here.
Most recently, in May 2018, PCI DSS version 3.2.1 was released and became mandatory for all compliance assessments performed after June 30, 2018. This version addressed requirements that were previously communicated and considered ‘best practices’ for merchants and service providers but are now mandatory effective June 30, 2018.
There are 2 Mandatory Requirements Effective June 30, 2018, relating to Appendix A2 and Appendix B of the PCI DSSv3.2.1:
Appendix A2: Additional PCI DSS Requirements for Entities using SSL/Early TLS for Card-Present POS POI Terminal Connections - allows the use of existing implementations of early SSL and TLS given that additional security controls are in place to mitigate the potential vulnerabilities associated with their use.
Under this Appendix update, the PCI DSS requirements directly affected are:
- Requirement 2.2.3 –Implement additional security features for any required services, protocols, or daemons that are considered to be insecure.
- Requirement 2.3 –Encrypt all non-console administrative access using strong cryptography.
- Requirement 4.1 –Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.
Service providers still supporting early SSL/TLS must maintain a Risk and Migration Plan to detail the additional security controls in place. To continue the use of legacy SSL/TLS terminals, merchants must be able to maintain vigilance in monitoring for new vulnerabilities that may affect those POS/POI terminals. New POS/POI implementations must not use early SSL or early TLS as a security control.
Appendix B: Compensating Controls - removes multi-factor authentication (MFA) from the list of allowed compensating controls (i.e. legitimate workarounds to any requirement used by enterprises in the event that they cannot meet the requirement as it is explicitly stated).
While merchants and service providers were previously able to use compensating controls in lieu of implementing MFA for non-console administrative access, they are now required to use MFA for all non-console administrative access. The use of one-time passwords (a form of MFA) has also been added as a potential control for this scenario.
This summary offered a brief overview of the requirements presented in PCI DSS v3.2.1. As a reminder, the goal of the evolving PCI DSS requirements is to ensure improved compliance through risk assessments across your organization. Please these changes carefully and seek support from a third-party assessor in order to ensure compliance.
To learn how Herjavec Group can help you conduct PCI DSS compliance assessments, please connect with a security specialist today.